Bug 1893188 (CVE-2020-25690) - CVE-2020-25690 fontforge: SFD_GetFontMetaData() insufficient CVE-2020-5395 backport
Summary: CVE-2020-25690 fontforge: SFD_GetFontMetaData() insufficient CVE-2020-5395 ba...
Alias: CVE-2020-25690
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1821664
Blocks: 1883806
TreeView+ depends on / blocked
Reported: 2020-10-30 13:32 UTC by Stefan Cornelius
Modified: 2020-11-06 13:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write was discovered in fontforge while parsing SFD files containing certain LayerCount tokens. The flaw allows an attacker to manipulate memory allocated on the heap, thus causing the application to crash or execute arbitrary code.
Clone Of:
Last Closed: 2020-11-04 02:27:23 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4844 None None None 2020-11-04 04:19:23 UTC

Description Stefan Cornelius 2020-10-30 13:32:12 UTC
RHSA-2020:1921 fixed CVE-2020-5395 by backporting an upstream patch. However, this backport was later found to introduce another issue causing an incorrect amount of heap memory space to be allocated, which could ultimately result in out of bounds heap memory manipulation when processing a specially crafted font file. This new problem was fixed upstream in a subsequent patch and, to our knowledge, no versioned upstream release was ever affected. Unfortunately, the Red Hat Enterprise Linux 8 fontforge package is affected.

Original first patch:

Additional patch required:

Comment 3 Stefan Cornelius 2020-10-30 13:44:25 UTC

Impact of the flaw set to Moderate since upstream does not consider a network-facing application that accepts untrusted font files as a reasonable use of fontforge tool/library, making the impact of a possible exploitation of this flaw smaller.

Comment 4 Product Security DevOps Team 2020-11-04 02:27:23 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 5 errata-xmlrpc 2020-11-04 04:19:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4844 https://access.redhat.com/errata/RHSA-2020:4844

Note You need to log in before you can comment on or make changes to this bug.