FontForge 20190801 has a out-of-bounds write in SFD_GetFontMetaData in sfd.c.
Created fontforge tracking bugs for this issue:
Affects: fedora-all [bug 1790042]
Vulnerable versions of fontforge allows to set the layer_cnt field of the SplineFont parser to a very big number, which is parsed as a negative number, through the usage of the LayerCount token. This bypass the reallocation of the layers array and subsequently, during the parsing of the Layer token, it writes starting one byte before the beginning of the array. The out-of-bounds write overwrites heap metadata which may be abused to crash the program or possibly execute code.
Impact of the flaw set to Moderate even if the CVSSv3.1 score is 8.8, since we don't consider a network-facing application that accepts untrusted font files as a reasonable use of fontforge tool/library, as also explained upstream in https://github.com/fontforge/fontforge/issues/4086#issuecomment-570772533 .
Impact of the flaw set to Moderate since upstream does not consider a network-facing application that accepts untrusted font files as a reasonable use of fontforge tool/library, making the impact of a possible exploitation of this flaw smaller.
Upstream of fontforge made it clear not to cherry pick upstream commits and patch in Fedora. See https://github.com/fontforge/fontforge/issues/4164#issuecomment-586589395
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2020:1921 https://access.redhat.com/errata/RHSA-2020:1921
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):