Bug 1526142 (CVE-2017-17521) - CVE-2017-17521 fontforge: Command injetion in help function uiutil.c
Summary: CVE-2017-17521 fontforge: Command injetion in help function uiutil.c
Alias: CVE-2017-17521
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1526143
Blocks: 1526144
TreeView+ depends on / blocked
Reported: 2017-12-14 20:30 UTC by Pedro Sampaio
Modified: 2021-02-17 01:05 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-01-02 17:42:17 UTC

Attachments (Terms of Use)
help function calls (5.21 KB, text/plain)
2018-01-02 17:38 UTC, Pedro Yóssis Silva Barbosa
no flags Details

Description Pedro Sampaio 2017-12-14 20:30:54 UTC
A flaw was found in FontForge through 20170731. uiutil.c does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. A different vulnerability than CVE-2017-17534.



Comment 1 Pedro Sampaio 2017-12-14 20:31:23 UTC
Created fontforge tracking bugs for this issue:

Affects: fedora-all [bug 1526143]

Comment 2 Pedro Yóssis Silva Barbosa 2018-01-02 17:38:12 UTC
Created attachment 1375842 [details]
help function calls

Using a crafted URL, it is possible to inject command.

gbg> b *0x56f9bf

gdb> run --help

gbg> printf "%s", $rdi
"xdg-open" "http://fontforge.sf.net/overview.html" &

The thing is, though, the URL values seem to be all hardcoded and not possible to craft remotely (see attachment).

Comment 3 Pedro Yóssis Silva Barbosa 2018-01-02 17:42:27 UTC

This issue affects the versions of fontforge as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 4 Parag Nemade 2018-01-14 04:46:42 UTC

Do you still want fedora bug open? I see this got closed as WONTFIX so fedora bug 1526143 should get closed as WONTFIX right?

Note You need to log in before you can comment on or make changes to this bug.