A flaw was found in FontForge through 20170731. uiutil.c does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. A different vulnerability than CVE-2017-17534. References: https://security-tracker.debian.org/tracker/CVE-2017-17521
Created fontforge tracking bugs for this issue: Affects: fedora-all [bug 1526143]
Created attachment 1375842 [details] help function calls Using a crafted URL, it is possible to inject command. gbg> b *0x56f9bf gdb> run --help gbg> printf "%s", $rdi "xdg-open" "http://fontforge.sf.net/overview.html" & The thing is, though, the URL values seem to be all hardcoded and not possible to craft remotely (see attachment).
Statement: This issue affects the versions of fontforge as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Pedro, Do you still want fedora bug open? I see this got closed as WONTFIX so fedora bug 1526143 should get closed as WONTFIX right?