Bug#1064967: marked as done (fontforge: CVE-2024-25081 CVE-2024-25082)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 23 Mar 2024 08:42:35 +0000
with message-id <E1rnwxX-002ZX5-00@fasolo.debian.org>
and subject line Bug#1064967: fixed in fontforge 1:20201107~dfsg-4+deb11u1
has caused the Debian Bug report #1064967,
regarding fontforge: CVE-2024-25081 CVE-2024-25082
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1064967: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064967
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: fontforge: CVE-2024-25081 CVE-2024-25082
• From: Moritz Mühlenhoff <jmm@inutil.org>
• Date: Wed, 28 Feb 2024 15:43:57 +0100
• Message-id: <Zd9GrUJW9o5qh0Y/@pisco.westfalen.local>

Source: fontforge
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for fontforge.

CVE-2024-25081[0]:
| Splinefont in FontForge through 20230101 allows command injection
| via crafted filenames.

CVE-2024-25082[1]:
| Splinefont in FontForge through 20230101 allows command injection
| via crafted archives or compressed files.

Fixed by:
https://github.com/fontforge/fontforge/pull/5367
https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-25081
    https://www.cve.org/CVERecord?id=CVE-2024-25081
[1] https://security-tracker.debian.org/tracker/CVE-2024-25082
    https://www.cve.org/CVERecord?id=CVE-2024-25082

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

• To: 1064967-close@bugs.debian.org
• Subject: Bug#1064967: fixed in fontforge 1:20201107~dfsg-4+deb11u1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sat, 23 Mar 2024 08:42:35 +0000
• Message-id: <E1rnwxX-002ZX5-00@fasolo.debian.org>
• Reply-to: Adrian Bunk <bunk@debian.org>

Source: fontforge
Source-Version: 1:20201107~dfsg-4+deb11u1
Done: Adrian Bunk <bunk@debian.org>

We believe that the bug you reported is fixed in the latest version of
fontforge, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1064967@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated fontforge package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 15 Mar 2024 22:56:38 +0200
Source: fontforge
Architecture: source
Version: 1:20201107~dfsg-4+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Fonts Task Force <debian-fonts@lists.debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1064967
Changes:
 fontforge (1:20201107~dfsg-4+deb11u1) bullseye-security; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2024-25081: Spline Font command injection via crafted filenames
   * CVE-2024-25082: Spline Font command injection via crafted archives
     or compressed files
   * Closes: #1064967
Checksums-Sha1:
 02da1e253546ea8c9327a0c9f33d66afbfb6336e 2999 fontforge_20201107~dfsg-4+deb11u1.dsc
 70695fabd8cbba0486a8cae603cea14aef9b12a7 11840596 fontforge_20201107~dfsg.orig.tar.xz
 4a7c5e045711484791af318bd07aa1bb81d7c216 66808 fontforge_20201107~dfsg-4+deb11u1.debian.tar.xz
Checksums-Sha256:
 6217637c8305ca5711c75c681c8a6a5d89381abffe7d81d7967428f6ffe82ac3 2999 fontforge_20201107~dfsg-4+deb11u1.dsc
 87672ca0dbfa3df42d768c3856186617059a5471fa99b35e7495d612a533c40b 11840596 fontforge_20201107~dfsg.orig.tar.xz
 69722b63483594f0a78c28176c2024e21f51bf6b242b26e4a90132c2d843e6ce 66808 fontforge_20201107~dfsg-4+deb11u1.debian.tar.xz
Files:
 55a14e12ed5146a953b83a99619a20aa 2999 fonts optional fontforge_20201107~dfsg-4+deb11u1.dsc
 fcb397570d9502ae649f2735d5c09d6f 11840596 fonts optional fontforge_20201107~dfsg.orig.tar.xz
 99be1953b1326b82a9e543a8f6b5bed7 66808 fonts optional fontforge_20201107~dfsg-4+deb11u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmX1jksACgkQiNJCh6LY
mLF2Aw//dYdmHQxGqSKRzQJw8Q9vH1IfSBg44A3LC77dqnSI1ScQzUcc7IdaR8oR
hY4yuBon0Cg1hbDl9CrHQgmee0u8EbAPblJCAdcI24u7ab9i5jH63yuJQ23sPaSM
KvR7gz6T7zGfyXN1jJYG6LmSrl7kQUYdr5F2KM9Ecpr805E10h5D86XzSBmxZgR3
4tmUUaC8N3w9cUquOxbmD/544oaoIoSyaRJz7ZG94qmFgYwS+AFKKuxFXC+n3F3T
pDu0A/5DkNOQD2w32sOb5LIoDdHS2d7L57Fc9ImUNiZxbaD+gZM4NA61QwME3FfY
bHeB9qFjvSb64bbGJqKLGY27Joli+VGmXCyQ0DJsBmm2adx9NNvrX4qJqSF3g0UH
A8QGhiMKHK9DM+bMvfEQtbfV+oNBjgnUPS1OSKSRQwTUZ9tzrEMDPc29oJGD1mPN
SiDENL1hWcDgkkPxzlW/wARcVksDh+vf9cm7wCISgVI5KYxhhyYhK8D6jYM0H8yO
S5kFmT8xbtIkWiY8r+HSJQveY0kxnhqopDzFTJFK3s9E76I0kYSMr90Ia1Eh6qfa
0Bl5uSkfd6SIropfACGXlEWu7R5hFCohLn7Y/gEzmwAZMX0wpX+uxHS2ZuOj70YS
2BAQbnWsC/yp+gErKyBiPjIOFebvHjVAzaRxCG3AesgoQ5LV/5k=
=hRV/
-----END PGP SIGNATURE-----

Attachment: pgpcsxD9NshTu.pgp
Description: PGP signature

--- End Message ---