From 87ec20a165e0e90d5c910be5d5eb119e8acf419c9b451b7a6557f48e2a90d883 Mon Sep 17 00:00:00 2001 From: Hillwood Yang Date: Tue, 5 Mar 2024 05:50:50 +0000 Subject: [PATCH] Accepting request 1154724 from home:qzhao:branches:M17N Add fontforge-CVE-2024-25081-CVE-2024-25082.patch Backporting 216eb14b from upstream, Fix splinefont shell command injection. (CVE-2024-25081 CVE-2024-25082 bsc#1220404 bsc#1220405) OBS-URL: https://build.opensuse.org/request/show/1154724 OBS-URL: https://build.opensuse.org/package/show/M17N/fontforge?expand=0&rev=91 --- fontforge-CVE-2024-25081-CVE-2024-25082.patch | 172 ++++++++++++++++++ fontforge.changes | 8 + fontforge.spec | 7 +- 3 files changed, 184 insertions(+), 3 deletions(-) create mode 100644 fontforge-CVE-2024-25081-CVE-2024-25082.patch diff --git a/fontforge-CVE-2024-25081-CVE-2024-25082.patch b/fontforge-CVE-2024-25081-CVE-2024-25082.patch new file mode 100644 index 0000000..b425d9b --- /dev/null +++ b/fontforge-CVE-2024-25081-CVE-2024-25082.patch @@ -0,0 +1,172 @@ +commit 216eb14b558df344b206bf82e2bdaf03a1f2f429 (HEAD -> 216eb14b558df344b206bf82e2bdaf03a1f2f429_CVE-2024-25081_CVE-2024-25082) +Author: Peter Kydas +Date: Tue Feb 6 20:03:04 2024 +1100 + + fix splinefont shell command injection (#5367) + +diff -Nura fontforge-20230101/fontforge/splinefont.c fontforge-20230101_new/fontforge/splinefont.c +--- fontforge-20230101/fontforge/splinefont.c 2023-01-01 13:25:21.000000000 +0800 ++++ fontforge-20230101_new/fontforge/splinefont.c 2024-03-04 21:23:26.813893591 +0800 +@@ -788,11 +788,14 @@ + + char *Unarchive(char *name, char **_archivedir) { + char *dir = getenv("TMPDIR"); +- char *pt, *archivedir, *listfile, *listcommand, *unarchivecmd, *desiredfile; ++ char *pt, *archivedir, *listfile, *desiredfile; + char *finalfile; + int i; + int doall=false; + static int cnt=0; ++ gchar *command[5]; ++ gchar *stdoutresponse = NULL; ++ gchar *stderrresponse = NULL; + + *_archivedir = NULL; + +@@ -827,18 +830,30 @@ + listfile = malloc(strlen(archivedir)+strlen("/" TOC_NAME)+1); + sprintf( listfile, "%s/" TOC_NAME, archivedir ); + +- listcommand = malloc( strlen(archivers[i].unarchive) + 1 + +- strlen( archivers[i].listargs) + 1 + +- strlen( name ) + 3 + +- strlen( listfile ) +4 ); +- sprintf( listcommand, "%s %s %s > %s", archivers[i].unarchive, +- archivers[i].listargs, name, listfile ); +- if ( system(listcommand)!=0 ) { +- free(listcommand); free(listfile); +- ArchiveCleanup(archivedir); +-return( NULL ); ++ command[0] = archivers[i].unarchive; ++ command[1] = archivers[i].listargs; ++ command[2] = name; ++ command[3] = NULL; // command args need to be NULL-terminated ++ ++ if ( g_spawn_sync( ++ NULL, ++ command, ++ NULL, ++ G_SPAWN_SEARCH_PATH, ++ NULL, ++ NULL, ++ &stdoutresponse, ++ &stderrresponse, ++ NULL, ++ NULL ++ ) == FALSE) { // did not successfully execute ++ ArchiveCleanup(archivedir); ++ return( NULL ); + } +- free(listcommand); ++ // Write out the listfile to be read in later ++ FILE *fp = fopen(listfile, "wb"); ++ fwrite(stdoutresponse, strlen(stdoutresponse), 1, fp); ++ fclose(fp); + + desiredfile = ArchiveParseTOC(listfile, archivers[i].ars, &doall); + free(listfile); +@@ -847,22 +862,28 @@ + return( NULL ); + } + +- /* I tried sending everything to stdout, but that doesn't work if the */ +- /* output is a directory file (ufo, sfdir) */ +- unarchivecmd = malloc( strlen(archivers[i].unarchive) + 1 + +- strlen( archivers[i].listargs) + 1 + +- strlen( name ) + 1 + +- strlen( desiredfile ) + 3 + +- strlen( archivedir ) + 30 ); +- sprintf( unarchivecmd, "( cd %s ; %s %s %s %s ) > /dev/null", archivedir, +- archivers[i].unarchive, +- archivers[i].extractargs, name, doall ? "" : desiredfile ); +- if ( system(unarchivecmd)!=0 ) { +- free(unarchivecmd); free(desiredfile); +- ArchiveCleanup(archivedir); +-return( NULL ); ++ command[0] = archivers[i].unarchive; ++ command[1] = archivers[i].extractargs; ++ command[2] = name; ++ command[3] = doall ? "" : desiredfile; ++ command[4] = NULL; ++ ++ if ( g_spawn_sync( ++ (gchar*)archivedir, ++ command, ++ NULL, ++ G_SPAWN_SEARCH_PATH, ++ NULL, ++ NULL, ++ &stdoutresponse, ++ &stderrresponse, ++ NULL, ++ NULL ++ ) == FALSE) { // did not successfully execute ++ free(desiredfile); ++ ArchiveCleanup(archivedir); ++ return( NULL ); + } +- free(unarchivecmd); + + finalfile = malloc( strlen(archivedir) + 1 + strlen(desiredfile) + 1); + sprintf( finalfile, "%s/%s", archivedir, desiredfile ); +@@ -885,8 +906,12 @@ + + char *Decompress(char *name, int compression) { + char *dir = getenv("TMPDIR"); +- char buf[1500]; + char *tmpfn; ++ gchar *command[4]; ++ gint stdout_pipe; ++ gchar buffer[4096]; ++ gssize bytes_read; ++ GByteArray *binary_data = g_byte_array_new(); + + if ( dir==NULL ) dir = P_tmpdir; + tmpfn = malloc(strlen(dir)+strlen(GFileNameTail(name))+2); +@@ -894,11 +919,41 @@ + strcat(tmpfn,"/"); + strcat(tmpfn,GFileNameTail(name)); + *strrchr(tmpfn,'.') = '\0'; +- snprintf( buf, sizeof(buf), "%s < %s > %s", compressors[compression].decomp, name, tmpfn ); +- if ( system(buf)==0 ) +-return( tmpfn ); +- free(tmpfn); +-return( NULL ); ++ ++ command[0] = compressors[compression].decomp; ++ command[1] = "-c"; ++ command[2] = name; ++ command[3] = NULL; ++ ++ // Have to use async because g_spawn_sync doesn't handle nul-bytes in the output (which happens with binary data) ++ if (g_spawn_async_with_pipes( ++ NULL, ++ command, ++ NULL, ++ G_SPAWN_DO_NOT_REAP_CHILD | G_SPAWN_SEARCH_PATH, ++ NULL, ++ NULL, ++ NULL, ++ NULL, ++ &stdout_pipe, ++ NULL, ++ NULL) == FALSE) { ++ //command has failed ++ return( NULL ); ++ } ++ ++ // Read binary data from pipe and output to file ++ while ((bytes_read = read(stdout_pipe, buffer, sizeof(buffer))) > 0) { ++ g_byte_array_append(binary_data, (guint8 *)buffer, bytes_read); ++ } ++ close(stdout_pipe); ++ ++ FILE *fp = fopen(tmpfn, "wb"); ++ fwrite(binary_data->data, sizeof(gchar), binary_data->len, fp); ++ fclose(fp); ++ g_byte_array_free(binary_data, TRUE); ++ ++ return(tmpfn); + } + + static char *ForceFileToHaveName(FILE *file, char *exten) { diff --git a/fontforge.changes b/fontforge.changes index 176f7f5..a4eaca7 100644 --- a/fontforge.changes +++ b/fontforge.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sat Mar 2 03:24:22 UTC 2024 - Cliff Zhao + +- Add fontforge-CVE-2024-25081-CVE-2024-25082.patch + Backporting 216eb14b from upstream, Fix splinefont shell command + injection. + (CVE-2024-25081 CVE-2024-25082 bsc#1220404 bsc#1220405) + ------------------------------------------------------------------- Mon Feb 26 08:38:40 UTC 2024 - Dominique Leuenberger diff --git a/fontforge.spec b/fontforge.spec index cbd5fc4..55d634a 100644 --- a/fontforge.spec +++ b/fontforge.spec @@ -1,7 +1,7 @@ # # spec file for package fontforge # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,7 +26,9 @@ Source0: https://github.com/fontforge/fontforge/archive/%{version}.tar.gz # workaround for bug 930076, imho upstream should fix this # https://github.com/fontforge/fontforge/issues/2270 Patch0: fontforge-version.patch -Patch5: add-bitmap-transform-support.patch +Patch1: add-bitmap-transform-support.patch +# PATCH-FIX-UPSTREAM fontforge-CVE-2024-25081-CVE-2024-25082.patch CVE-2024-25081 CVE-2024-25082 bsc#1220404 bsc#1220405 qzhao@suse.com -- Fix Splinefont shell invocation. +Patch2: fontforge-CVE-2024-25081-CVE-2024-25082.patch BuildRequires: cairo-devel BuildRequires: cmake BuildRequires: fdupes @@ -121,7 +123,6 @@ rm %{buildroot}%{_docdir}/%{name}/html/.nojekyll %{_datadir}/icons/hicolor/*/apps/org.fontforge.FontForge.png %{_datadir}/icons/hicolor/scalable/apps/org.fontforge.FontForge.svg %{_datadir}/metainfo/org.fontforge.FontForge.*.xml -# %{_datadir}/pixmaps/org.fontforge.FontForge.* %{_datadir}/mime/packages/%{name}.xml %dir %{_docdir}/fontforge