Bug 1178308 - (CVE-2020-25690) VUL-0: CVE-2020-25690: fontforge: insufficient backport of CVE-2020-5395
(CVE-2020-25690)
VUL-0: CVE-2020-25690: fontforge: insufficient backport of CVE-2020-5395
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Cliff Zhao
Security Team bot
https://smash.suse.de/issue/270613/
CVSSv3.1:SUSE:CVE-2020-25690:7.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-10-30 16:54 UTC by Alexandros Toptsoglou
Modified: 2021-01-07 11:51 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-10-30 16:54:28 UTC
CVE-2020-25690
By backporting an upstream patch. However, this backport was later found to introduce another issue causing an incorrect amount of heap memory space to be allocated, which could ultimately result in out of bounds heap memory manipulation when processing a specially crafted font file. This new problem was fixed upstream in a subsequent patch and, to our knowledge, no versioned upstream release was ever affected.

Original first patch:
https://github.com/fontforge/fontforge/commit/048a91e2682c1a8936ae34dbc7bd70291ec05410

Additional patch required:
https://github.com/fontforge/fontforge/commit/b96273acc691ac8a36c6a8dd4de8e6edd7eaae59

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1893188
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25690
Comment 1 Alexandros Toptsoglou 2020-10-30 16:55:13 UTC
Tracked as affected the following codestreams: 

SLE12
SLE15 
SLE15-SP2
Comment 2 Cliff Zhao 2020-11-13 02:16:05 UTC
(In reply to Alexandros Toptsoglou from comment #1)
> Tracked as affected the following codestreams: 
> 
> SLE12
> SLE15 
> SLE15-SP2

The Fontforge source could not be compliled in SLE15-SP2(https://build.suse.de/package/show/SUSE:SLE-15-SP2:Update/fontforge), it has been excluded in all repos. Based on this fact, I couldn't do the porting work to this edition now.
Could our respectable maintaince(security) team give out a little explain? 
Thank you very much!
Comment 4 Swamp Workflow Management 2020-11-29 20:29:53 UTC
openSUSE-SU-2020:2111-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1178308
CVE References: CVE-2020-25690,CVE-2020-5395
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    fontforge-20170731-lp151.4.6.1
Comment 5 Swamp Workflow Management 2020-12-04 20:20:57 UTC
SUSE-SU-2020:3628-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1160220,1178308
CVE References: CVE-2020-25690,CVE-2020-5395
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    fontforge-20170731-11.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Marcus Meissner 2021-01-05 14:59:11 UTC
isc branch -M -c SUSE:SLE-15-SP2:Update fontforge   

will check it out locally for you. the SUSE:SLE-15-SP2:Update repo is not building, so it shows exlcuded.
Comment 7 Cliff Zhao 2021-01-06 01:49:54 UTC
(In reply to Marcus Meissner from comment #6)
> isc branch -M -c SUSE:SLE-15-SP2:Update fontforge   
> 
> will check it out locally for you. the SUSE:SLE-15-SP2:Update repo is not
> building, so it shows exlcuded.

Hi Marcus:
Thank you so much for the information.
and another reason I didn't submit to SLE15-SP2 is that it seems there already have these 2 fixes. 
Am I right?
Comment 8 Marcus Meissner 2021-01-07 11:51:01 UTC
i checked SLES 15 SP2, it is already fixed.