pool/fontforge
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1155477 from M17N

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1155477
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fontforge?expand=0&rev=58
This commit is contained in:
Dominique Leuenberger 2024-03-06 22:02:55 +00:00 committed by Git OBS Bridge
commit 6bad222854
4 changed files with 8994 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8803
642d8a3db6d4bc0e70b429622fdf01ecb09c4c10.patch Normal file
View File

File diff suppressed because it is too large Load Diff

172
fontforge-CVE-2024-25081-CVE-2024-25082.patch Normal file
View File

@ -0,0 +1,172 @@
commit 216eb14b558df344b206bf82e2bdaf03a1f2f429 (HEAD -> 216eb14b558df344b206bf82e2bdaf03a1f2f429_CVE-2024-25081_CVE-2024-25082)
Author: Peter Kydas <pk@canva.com>
Date: Tue Feb 6 20:03:04 2024 +1100
fix splinefont shell command injection (#5367)
diff -Nura fontforge-20230101/fontforge/splinefont.c fontforge-20230101_new/fontforge/splinefont.c
--- fontforge-20230101/fontforge/splinefont.c 2023-01-01 13:25:21.000000000 +0800
+++ fontforge-20230101_new/fontforge/splinefont.c 2024-03-04 21:23:26.813893591 +0800
@@ -788,11 +788,14 @@
char *Unarchive(char *name, char **_archivedir) {
char *dir = getenv("TMPDIR");
- char *pt, *archivedir, *listfile, *listcommand, *unarchivecmd, *desiredfile;
+ char *pt, *archivedir, *listfile, *desiredfile;
char *finalfile;
int i;
int doall=false;
static int cnt=0;
+ gchar *command[5];
+ gchar *stdoutresponse = NULL;
+ gchar *stderrresponse = NULL;
*_archivedir = NULL;
@@ -827,18 +830,30 @@
listfile = malloc(strlen(archivedir)+strlen("/" TOC_NAME)+1);
sprintf( listfile, "%s/" TOC_NAME, archivedir );
- listcommand = malloc( strlen(archivers[i].unarchive) + 1 +
- strlen( archivers[i].listargs) + 1 +
- strlen( name ) + 3 +
- strlen( listfile ) +4 );
- sprintf( listcommand, "%s %s %s > %s", archivers[i].unarchive,
- archivers[i].listargs, name, listfile );
- if ( system(listcommand)!=0 ) {
- free(listcommand); free(listfile);
- ArchiveCleanup(archivedir);
-return( NULL );
+ command[0] = archivers[i].unarchive;
+ command[1] = archivers[i].listargs;
+ command[2] = name;
+ command[3] = NULL; // command args need to be NULL-terminated
+
+ if ( g_spawn_sync(
+ NULL,
+ command,
+ NULL,
+ G_SPAWN_SEARCH_PATH,
+ NULL,
+ NULL,
+ &stdoutresponse,
+ &stderrresponse,
+ NULL,
+ NULL
+ ) == FALSE) { // did not successfully execute
+ ArchiveCleanup(archivedir);
+ return( NULL );
}
- free(listcommand);
+ // Write out the listfile to be read in later
+ FILE *fp = fopen(listfile, "wb");
+ fwrite(stdoutresponse, strlen(stdoutresponse), 1, fp);
+ fclose(fp);
desiredfile = ArchiveParseTOC(listfile, archivers[i].ars, &doall);
free(listfile);
@@ -847,22 +862,28 @@
return( NULL );
}
- /* I tried sending everything to stdout, but that doesn't work if the */
- /* output is a directory file (ufo, sfdir) */
- unarchivecmd = malloc( strlen(archivers[i].unarchive) + 1 +
- strlen( archivers[i].listargs) + 1 +
- strlen( name ) + 1 +
- strlen( desiredfile ) + 3 +
- strlen( archivedir ) + 30 );
- sprintf( unarchivecmd, "( cd %s ; %s %s %s %s ) > /dev/null", archivedir,
- archivers[i].unarchive,
- archivers[i].extractargs, name, doall ? "" : desiredfile );
- if ( system(unarchivecmd)!=0 ) {
- free(unarchivecmd); free(desiredfile);
- ArchiveCleanup(archivedir);
-return( NULL );
+ command[0] = archivers[i].unarchive;
+ command[1] = archivers[i].extractargs;
+ command[2] = name;
+ command[3] = doall ? "" : desiredfile;
+ command[4] = NULL;
+
+ if ( g_spawn_sync(
+ (gchar*)archivedir,
+ command,
+ NULL,
+ G_SPAWN_SEARCH_PATH,
+ NULL,
+ NULL,
+ &stdoutresponse,
+ &stderrresponse,
+ NULL,
+ NULL
+ ) == FALSE) { // did not successfully execute
+ free(desiredfile);
+ ArchiveCleanup(archivedir);
+ return( NULL );
}
- free(unarchivecmd);
finalfile = malloc( strlen(archivedir) + 1 + strlen(desiredfile) + 1);
sprintf( finalfile, "%s/%s", archivedir, desiredfile );
@@ -885,8 +906,12 @@
char *Decompress(char *name, int compression) {
char *dir = getenv("TMPDIR");
- char buf[1500];
char *tmpfn;
+ gchar *command[4];
+ gint stdout_pipe;
+ gchar buffer[4096];
+ gssize bytes_read;
+ GByteArray *binary_data = g_byte_array_new();
if ( dir==NULL ) dir = P_tmpdir;
tmpfn = malloc(strlen(dir)+strlen(GFileNameTail(name))+2);
@@ -894,11 +919,41 @@
strcat(tmpfn,"/");
strcat(tmpfn,GFileNameTail(name));
*strrchr(tmpfn,'.') = '\0';
- snprintf( buf, sizeof(buf), "%s < %s > %s", compressors[compression].decomp, name, tmpfn );
- if ( system(buf)==0 )
-return( tmpfn );
- free(tmpfn);
-return( NULL );
+
+ command[0] = compressors[compression].decomp;
+ command[1] = "-c";
+ command[2] = name;
+ command[3] = NULL;
+
+ // Have to use async because g_spawn_sync doesn't handle nul-bytes in the output (which happens with binary data)
+ if (g_spawn_async_with_pipes(
+ NULL,
+ command,
+ NULL,
+ G_SPAWN_DO_NOT_REAP_CHILD | G_SPAWN_SEARCH_PATH,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ &stdout_pipe,
+ NULL,
+ NULL) == FALSE) {
+ //command has failed
+ return( NULL );
+ }
+
+ // Read binary data from pipe and output to file
+ while ((bytes_read = read(stdout_pipe, buffer, sizeof(buffer))) > 0) {
+ g_byte_array_append(binary_data, (guint8 *)buffer, bytes_read);
+ }
+ close(stdout_pipe);
+
+ FILE *fp = fopen(tmpfn, "wb");
+ fwrite(binary_data->data, sizeof(gchar), binary_data->len, fp);
+ fclose(fp);
+ g_byte_array_free(binary_data, TRUE);
+
+ return(tmpfn);
}
static char *ForceFileToHaveName(FILE *file, char *exten) {

14
fontforge.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Tue Mar 5 12:17:37 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- Add 642d8a3db6d4bc0e70b429622fdf01ecb09c4c10.patch: Fix build
with gettext 0.22.
-------------------------------------------------------------------
Sat Mar 2 03:24:22 UTC 2024 - Cliff Zhao <qzhao@suse.com>
- Add fontforge-CVE-2024-25081-CVE-2024-25082.patch
Backporting 216eb14b from upstream, Fix splinefont shell command
injection.
(CVE-2024-25081 CVE-2024-25082 bsc#1220404 bsc#1220405)
-------------------------------------------------------------------
Mon Feb 26 08:38:40 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>

8
fontforge.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package fontforge
#
# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -26,7 +26,10 @@ Source0: https://github.com/fontforge/fontforge/archive/%{version}.tar.gz
# workaround for bug 930076, imho upstream should fix this
# https://github.com/fontforge/fontforge/issues/2270
Patch0: fontforge-version.patch
Patch5: add-bitmap-transform-support.patch
Patch1: add-bitmap-transform-support.patch
# PATCH-FIX-UPSTREAM fontforge-CVE-2024-25081-CVE-2024-25082.patch CVE-2024-25081 CVE-2024-25082 bsc#1220404 bsc#1220405 qzhao@suse.com -- Fix Splinefont shell invocation.
Patch2: fontforge-CVE-2024-25081-CVE-2024-25082.patch
Patch3: https://github.com/fontforge/fontforge/commit/642d8a3db6d4bc0e70b429622fdf01ecb09c4c10.patch
BuildRequires: cairo-devel
BuildRequires: cmake
BuildRequires: fdupes
@ -121,7 +124,6 @@ rm %{buildroot}%{_docdir}/%{name}/html/.nojekyll
%{_datadir}/icons/hicolor/*/apps/org.fontforge.FontForge.png
%{_datadir}/icons/hicolor/scalable/apps/org.fontforge.FontForge.svg
%{_datadir}/metainfo/org.fontforge.FontForge.*.xml
# %{_datadir}/pixmaps/org.fontforge.FontForge.*
%{_datadir}/mime/packages/%{name}.xml
%dir %{_docdir}/fontforge