Bug 1178308 (CVE-2020-25690)

Summary: VUL-0: CVE-2020-25690: fontforge: insufficient backport of CVE-2020-5395
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Cliff Zhao <qzhao>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: meissner, security-team, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/270613/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-25690:7.3:(AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2020-10-30 16:54:28 UTC
CVE-2020-25690
By backporting an upstream patch. However, this backport was later found to introduce another issue causing an incorrect amount of heap memory space to be allocated, which could ultimately result in out of bounds heap memory manipulation when processing a specially crafted font file. This new problem was fixed upstream in a subsequent patch and, to our knowledge, no versioned upstream release was ever affected.

Original first patch:
https://github.com/fontforge/fontforge/commit/048a91e2682c1a8936ae34dbc7bd70291ec05410

Additional patch required:
https://github.com/fontforge/fontforge/commit/b96273acc691ac8a36c6a8dd4de8e6edd7eaae59

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1893188
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25690
Comment 1 Alexandros Toptsoglou 2020-10-30 16:55:13 UTC
Tracked as affected the following codestreams: 

SLE12
SLE15 
SLE15-SP2
Comment 2 Cliff Zhao 2020-11-13 02:16:05 UTC
(In reply to Alexandros Toptsoglou from comment #1)
> Tracked as affected the following codestreams: 
> 
> SLE12
> SLE15 
> SLE15-SP2

The Fontforge source could not be compliled in SLE15-SP2(https://build.suse.de/package/show/SUSE:SLE-15-SP2:Update/fontforge), it has been excluded in all repos. Based on this fact, I couldn't do the porting work to this edition now.
Could our respectable maintaince(security) team give out a little explain? 
Thank you very much!
Comment 4 Swamp Workflow Management 2020-11-29 20:29:53 UTC
openSUSE-SU-2020:2111-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1178308
CVE References: CVE-2020-25690,CVE-2020-5395
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    fontforge-20170731-lp151.4.6.1
Comment 5 Swamp Workflow Management 2020-12-04 20:20:57 UTC
SUSE-SU-2020:3628-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1178308
CVE References: CVE-2020-25690,CVE-2020-5395
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    fontforge-20170731-11.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Marcus Meissner 2021-01-05 14:59:11 UTC
isc branch -M -c SUSE:SLE-15-SP2:Update fontforge   

will check it out locally for you. the SUSE:SLE-15-SP2:Update repo is not building, so it shows exlcuded.
Comment 7 Cliff Zhao 2021-01-06 01:49:54 UTC
(In reply to Marcus Meissner from comment #6)
> isc branch -M -c SUSE:SLE-15-SP2:Update fontforge   
> 
> will check it out locally for you. the SUSE:SLE-15-SP2:Update repo is not
> building, so it shows exlcuded.

Hi Marcus:
Thank you so much for the information.
and another reason I didn't submit to SLE15-SP2 is that it seems there already have these 2 fixes. 
Am I right?
Comment 8 Marcus Meissner 2021-01-07 11:51:01 UTC
i checked SLES 15 SP2, it is already fixed.