1893188 – (CVE-2020-25690) CVE-2020-25690 fontforge: SFD_GetFontMetaData() insufficient CVE-2020-5395 backport

Bug 1893188 (CVE-2020-25690) - CVE-2020-25690 fontforge: SFD_GetFontMetaData() insufficient CVE-2020-5395 backport

Summary: CVE-2020-25690 fontforge: SFD_GetFontMetaData() insufficient CVE-2020-5395 ba...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-25690
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1821664
Blocks:	1883806
TreeView+	depends on / blocked

Reported:	2020-10-30 13:32 UTC by Stefan Cornelius
Modified:	2021-02-16 18:59 UTC (History)
CC List:	3 users (show)
Fixed In Version:	fontforge 20200314
Doc Type:	If docs needed, set a value
Doc Text:	An out-of-bounds write flaw was found in FontForge while parsing SFD files containing certain LayerCount tokens. This flaw allows an attacker to manipulate the memory allocated on the heap, causing the application to crash or execute arbitrary code. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed:	2020-11-04 02:27:23 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4844	0	None	None	None	2020-11-04 04:19:23 UTC

Description Stefan Cornelius 2020-10-30 13:32:12 UTC

RHSA-2020:1921 fixed CVE-2020-5395 by backporting an upstream patch. However, this backport was later found to introduce another issue causing an incorrect amount of heap memory space to be allocated, which could ultimately result in out of bounds heap memory manipulation when processing a specially crafted font file. This new problem was fixed upstream in a subsequent patch and, to our knowledge, no versioned upstream release was ever affected. Unfortunately, the Red Hat Enterprise Linux 8 fontforge package is affected.

Original first patch:
https://github.com/fontforge/fontforge/commit/048a91e2682c1a8936ae34dbc7bd70291ec05410

Additional patch required:
https://github.com/fontforge/fontforge/commit/b96273acc691ac8a36c6a8dd4de8e6edd7eaae59

Comment 4 Product Security DevOps Team 2020-11-04 02:27:23 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25690

Comment 5 errata-xmlrpc 2020-11-04 04:19:23 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4844 https://access.redhat.com/errata/RHSA-2020:4844

Comment 6 RaTasha Tillery-Smith 2021-02-03 18:06:20 UTC

Statement:

The impact of this flaw is set to Moderate since upstream does not consider a network-facing application that accepts untrusted font files as a reasonable use of fontforge tool/library, making the impact of a possible exploitation of this flaw smaller.

Note You need to log in before you can comment on or make changes to this bug.