Bug 1893188 (CVE-2020-25690) - CVE-2020-25690 fontforge: SFD_GetFontMetaData() insufficient CVE-2020-5395 backport
Summary: CVE-2020-25690 fontforge: SFD_GetFontMetaData() insufficient CVE-2020-5395 ba...
Alias: CVE-2020-25690
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1821664
Blocks: 1883806
TreeView+ depends on / blocked
Reported: 2020-10-30 13:32 UTC by Stefan Cornelius
Modified: 2021-02-16 18:59 UTC (History)
3 users (show)

Fixed In Version: fontforge 20200314
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write flaw was found in FontForge while parsing SFD files containing certain LayerCount tokens. This flaw allows an attacker to manipulate the memory allocated on the heap, causing the application to crash or execute arbitrary code. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Last Closed: 2020-11-04 02:27:23 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4844 0 None None None 2020-11-04 04:19:23 UTC

Description Stefan Cornelius 2020-10-30 13:32:12 UTC
RHSA-2020:1921 fixed CVE-2020-5395 by backporting an upstream patch. However, this backport was later found to introduce another issue causing an incorrect amount of heap memory space to be allocated, which could ultimately result in out of bounds heap memory manipulation when processing a specially crafted font file. This new problem was fixed upstream in a subsequent patch and, to our knowledge, no versioned upstream release was ever affected. Unfortunately, the Red Hat Enterprise Linux 8 fontforge package is affected.

Original first patch:

Additional patch required:

Comment 4 Product Security DevOps Team 2020-11-04 02:27:23 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 5 errata-xmlrpc 2020-11-04 04:19:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4844 https://access.redhat.com/errata/RHSA-2020:4844

Comment 6 RaTasha Tillery-Smith 2021-02-03 18:06:20 UTC

The impact of this flaw is set to Moderate since upstream does not consider a network-facing application that accepts untrusted font files as a reasonable use of fontforge tool/library, making the impact of a possible exploitation of this flaw smaller.

Note You need to log in before you can comment on or make changes to this bug.