Accepting request 1331140 from M17N

OBS-URL: https://build.opensuse.org/request/show/1331140
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fontforge?expand=0&rev=66

fontforge-20251009.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:69046500185a5581b58139dfad30c0b3d8128f00ebbfddc31f2fcf877e329e52
+size 14032824

fontforge-CVE-2024-25081-CVE-2024-25082.patch

@@ -1,172 +0,0 @@
-commit 216eb14b558df344b206bf82e2bdaf03a1f2f429 (HEAD -> 216eb14b558df344b206bf82e2bdaf03a1f2f429_CVE-2024-25081_CVE-2024-25082)
-Author: Peter Kydas <pk@canva.com>
-Date:   Tue Feb 6 20:03:04 2024 +1100
-
-    fix splinefont shell command injection (#5367)
-
-diff -Nura fontforge-20230101/fontforge/splinefont.c fontforge-20230101_new/fontforge/splinefont.c
---- fontforge-20230101/fontforge/splinefont.c	2023-01-01 13:25:21.000000000 +0800
-+++ fontforge-20230101_new/fontforge/splinefont.c	2024-03-04 21:23:26.813893591 +0800
-@@ -788,11 +788,14 @@
- 
- char *Unarchive(char *name, char **_archivedir) {
-     char *dir = getenv("TMPDIR");
--    char *pt, *archivedir, *listfile, *listcommand, *unarchivecmd, *desiredfile;
-+    char *pt, *archivedir, *listfile, *desiredfile;
-     char *finalfile;
-     int i;
-     int doall=false;
-     static int cnt=0;
-+    gchar *command[5];
-+    gchar *stdoutresponse = NULL;
-+    gchar *stderrresponse = NULL;
- 
-     *_archivedir = NULL;
- 
-@@ -827,18 +830,30 @@
-     listfile = malloc(strlen(archivedir)+strlen("/" TOC_NAME)+1);
-     sprintf( listfile, "%s/" TOC_NAME, archivedir );
- 
--    listcommand = malloc( strlen(archivers[i].unarchive) + 1 +
--			strlen( archivers[i].listargs) + 1 +
--			strlen( name ) + 3 +
--			strlen( listfile ) +4 );
--    sprintf( listcommand, "%s %s %s > %s", archivers[i].unarchive,
--	    archivers[i].listargs, name, listfile );
--    if ( system(listcommand)!=0 ) {
--	free(listcommand); free(listfile);
--	ArchiveCleanup(archivedir);
--return( NULL );
-+    command[0] = archivers[i].unarchive;
-+    command[1] = archivers[i].listargs;
-+    command[2] = name;
-+    command[3] = NULL; // command args need to be NULL-terminated
-+
-+    if ( g_spawn_sync(
-+                      NULL,
-+                      command,
-+                      NULL,
-+                      G_SPAWN_SEARCH_PATH,
-+                      NULL,
-+                      NULL,
-+                      &stdoutresponse,
-+                      &stderrresponse,
-+                      NULL,
-+                      NULL
-+                      ) == FALSE) { // did not successfully execute
-+      ArchiveCleanup(archivedir);
-+      return( NULL );
-     }
--    free(listcommand);
-+    // Write out the listfile to be read in later
-+    FILE *fp = fopen(listfile, "wb");
-+    fwrite(stdoutresponse, strlen(stdoutresponse), 1, fp);
-+    fclose(fp);
- 
-     desiredfile = ArchiveParseTOC(listfile, archivers[i].ars, &doall);
-     free(listfile);
-@@ -847,22 +862,28 @@
- return( NULL );
-     }
- 
--    /* I tried sending everything to stdout, but that doesn't work if the */
--    /*  output is a directory file (ufo, sfdir) */
--    unarchivecmd = malloc( strlen(archivers[i].unarchive) + 1 +
--			strlen( archivers[i].listargs) + 1 +
--			strlen( name ) + 1 +
--			strlen( desiredfile ) + 3 +
--			strlen( archivedir ) + 30 );
--    sprintf( unarchivecmd, "( cd %s ; %s %s %s %s ) > /dev/null", archivedir,
--	    archivers[i].unarchive,
--	    archivers[i].extractargs, name, doall ? "" : desiredfile );
--    if ( system(unarchivecmd)!=0 ) {
--	free(unarchivecmd); free(desiredfile);
--	ArchiveCleanup(archivedir);
--return( NULL );
-+    command[0] = archivers[i].unarchive;
-+    command[1] = archivers[i].extractargs;
-+    command[2] = name;
-+    command[3] = doall ? "" : desiredfile;
-+    command[4] = NULL;
-+
-+    if ( g_spawn_sync(
-+                      (gchar*)archivedir,
-+                      command,
-+                      NULL,
-+                      G_SPAWN_SEARCH_PATH,
-+                      NULL,
-+                      NULL,
-+                      &stdoutresponse,
-+                      &stderrresponse,
-+                      NULL,
-+                      NULL
-+                      ) == FALSE) { // did not successfully execute
-+      free(desiredfile);
-+      ArchiveCleanup(archivedir);
-+      return( NULL );
-     }
--    free(unarchivecmd);
- 
-     finalfile = malloc( strlen(archivedir) + 1 + strlen(desiredfile) + 1);
-     sprintf( finalfile, "%s/%s", archivedir, desiredfile );
-@@ -885,8 +906,12 @@
- 
- char *Decompress(char *name, int compression) {
-     char *dir = getenv("TMPDIR");
--    char buf[1500];
-     char *tmpfn;
-+    gchar *command[4];
-+    gint stdout_pipe;
-+    gchar buffer[4096];
-+    gssize bytes_read;
-+    GByteArray *binary_data = g_byte_array_new();
- 
-     if ( dir==NULL ) dir = P_tmpdir;
-     tmpfn = malloc(strlen(dir)+strlen(GFileNameTail(name))+2);
-@@ -894,11 +919,41 @@
-     strcat(tmpfn,"/");
-     strcat(tmpfn,GFileNameTail(name));
-     *strrchr(tmpfn,'.') = '\0';
--    snprintf( buf, sizeof(buf), "%s < %s > %s", compressors[compression].decomp, name, tmpfn );
--    if ( system(buf)==0 )
--return( tmpfn );
--    free(tmpfn);
--return( NULL );
-+
-+    command[0] = compressors[compression].decomp;
-+    command[1] = "-c";
-+    command[2] = name;
-+    command[3] = NULL;
-+
-+    // Have to use async because g_spawn_sync doesn't handle nul-bytes in the output (which happens with binary data)
-+    if (g_spawn_async_with_pipes(
-+      NULL,
-+      command,
-+      NULL,
-+      G_SPAWN_DO_NOT_REAP_CHILD | G_SPAWN_SEARCH_PATH,
-+      NULL,
-+      NULL,
-+      NULL,
-+      NULL,
-+      &stdout_pipe,
-+      NULL,
-+      NULL) == FALSE) {
-+      //command has failed
-+      return( NULL );
-+    }
-+
-+    // Read binary data from pipe and output to file
-+    while ((bytes_read = read(stdout_pipe, buffer, sizeof(buffer))) > 0) {
-+        g_byte_array_append(binary_data, (guint8 *)buffer, bytes_read);
-+    }
-+    close(stdout_pipe);
-+
-+    FILE *fp = fopen(tmpfn, "wb");
-+    fwrite(binary_data->data, sizeof(gchar), binary_data->len, fp);
-+    fclose(fp);
-+    g_byte_array_free(binary_data, TRUE);
-+
-+                return(tmpfn);
- }
- 
- static char *ForceFileToHaveName(FILE *file, char *exten) {

fontforge-CVE-2025-15269.patch

@@ -0,0 +1,34 @@
+From 6aea6db5da332d8ac94e3501bb83c1b21f52074d Mon Sep 17 00:00:00 2001
+From: Ahmet Furkan Kavraz
+ <55850855+ahmetfurkankavraz@users.noreply.github.com>
+Date: Sat, 10 Jan 2026 20:06:53 +0100
+Subject: [PATCH] Fix CVE-2025-15269: Use-after-free in SFD ligature parsing
+ (#5722)
+
+Prevent circular linked list in LigaCreateFromOldStyleMultiple by clearing
+the next pointer after shallow copy. The shallow copy propagates liga's
+modified next pointer from previous iterations, creating a cycle that
+causes double-free when the list is traversed and freed.
+
+Fixes: CVE-2025-15269 | ZDI-25-1195 | ZDI-CAN-28564
+
+Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
+---
+ fontforge/sfd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index 0590c119f..a349d0b2f 100644
+--- a/fontforge/sfd.c
++++ b/fontforge/sfd.c
+@@ -4715,6 +4715,7 @@ static PST1 *LigaCreateFromOldStyleMultiple(PST1 *liga) {
+     while ( (pt = strrchr(liga->pst.u.lig.components,';'))!=NULL ) {
+ 	new = chunkalloc(sizeof( PST1 ));
+ 	*new = *liga;
++	new->pst.next = NULL;
+ 	new->pst.u.lig.components = copy(pt+1);
+ 	last->pst.next = (PST *) new;
+ 	last = new;
+-- 
+2.49.0
+

fontforge-CVE-2025-15275.patch

@@ -0,0 +1,32 @@
+From 7195402701ace7783753ef9424153eff48c9af44 Mon Sep 17 00:00:00 2001
+From: Ahmet Furkan Kavraz
+ <55850855+ahmetfurkankavraz@users.noreply.github.com>
+Date: Fri, 9 Jan 2026 16:58:23 +0100
+Subject: [PATCH] Fix CVE-2025-15275: Heap buffer overflow in SFD image parsing
+ (#5721)
+
+Fixes: CVE-2025-15275 | ZDI-25-1189 | ZDI-CAN-28543
+
+Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
+---
+ fontforge/sfd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index 6b980a478..0590c119f 100644
+--- a/fontforge/sfd.c
++++ b/fontforge/sfd.c
+@@ -3653,6 +3653,10 @@ static ImageList *SFDGetImage(FILE *sfd) {
+     getint(sfd,&image_type);
+     getint(sfd,&bpl);
+     getint(sfd,&clutlen);
++    if ( clutlen < 0 || clutlen > 256 ) {
++        LogError(_("Invalid clut length %d in sfd file, must be between 0 and 256"), clutlen);
++        return NULL;
++    }
+     gethex(sfd,&trans);
+     image = GImageCreate(image_type,width,height);
+     base = image->list_len==0?image->u.image:image->u.images[0];
+-- 
+2.49.0
+

fontforge-CVE-2025-15279-part01_7d67700c.patch

@@ -0,0 +1,40 @@
+From 7d67700cf8888e0bb37b453ad54ed932c8587073 Mon Sep 17 00:00:00 2001
+From: Ahmet Furkan Kavraz
+ <55850855+ahmetfurkankavraz@users.noreply.github.com>
+Date: Thu, 8 Jan 2026 15:47:43 +0100
+Subject: [PATCH] Fix CVE-2025-15279: Heap buffer overflow in BMP RLE
+ decompression (#5720)
+
+CVSS: 7.8 (High)
+ZDI-CAN-27517
+Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
+---
+ gutils/gimagereadbmp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c
+index 5a137e28a..133336787 100644
+--- a/gutils/gimagereadbmp.c
++++ b/gutils/gimagereadbmp.c
+@@ -181,12 +181,18 @@ static int readpixels(FILE *file,struct bmpheader *head) {
+ 	int ii = 0;
+ 	while ( ii<head->height*head->width ) {
+ 	    int cnt = getc(file);
++	    if (cnt < 0 || ii + cnt > head->height * head->width) {
++		return 0;
++	    }
+ 	    if ( cnt!=0 ) {
+ 		int ch = getc(file);
+ 		while ( --cnt>=0 )
+ 		    head->byte_pixels[ii++] = ch;
+ 	    } else {
+ 		cnt = getc(file);
++		if (cnt < 0 || ii + cnt > head->height * head->width) {
++		    return 0;
++		}
+ 		if ( cnt>= 3 ) {
+ 		    int odd = cnt&1;
+ 		    while ( --cnt>=0 )
+-- 
+2.49.0
+

fontforge-CVE-2025-15279-part02_720ea950.patch

@@ -0,0 +1,33 @@
+From 720ea95020c964202928afd2e93b0f5fac11027e Mon Sep 17 00:00:00 2001
+From: Ahmet Furkan Kavraz
+ <55850855+ahmetfurkankavraz@users.noreply.github.com>
+Date: Mon, 12 Jan 2026 22:45:16 +0100
+Subject: [PATCH] Fix CVE-2025-15279: Move bounds check inside cnt >= 3 block
+ (#5723)
+
+Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
+---
+ gutils/gimagereadbmp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c
+index 133336787..ad365158c 100644
+--- a/gutils/gimagereadbmp.c
++++ b/gutils/gimagereadbmp.c
+@@ -190,10 +190,10 @@ static int readpixels(FILE *file,struct bmpheader *head) {
+ 		    head->byte_pixels[ii++] = ch;
+ 	    } else {
+ 		cnt = getc(file);
+-		if (cnt < 0 || ii + cnt > head->height * head->width) {
+-		    return 0;
+-		}
+ 		if ( cnt>= 3 ) {
++		    if (ii + cnt > head->height * head->width) {
++			return 0;
++		    }
+ 		    int odd = cnt&1;
+ 		    while ( --cnt>=0 )
+ 			head->byte_pixels[ii++] = getc(file);
+-- 
+2.49.0
+

fontforge-fix-UFO-crash-for-empty-contours.patch

@@ -0,0 +1,27 @@
+From 77b1b1486077c3a216b00d64d54fc861cad309b1 Mon Sep 17 00:00:00 2001
+From: Maxim Iorsh <iorsh@users.sourceforge.net>
+Date: Tue, 4 Nov 2025 23:46:52 +0200
+Subject: [PATCH] Fix UFO crash for empty contours (#5645)
+
+---
+ fontforge/ufo.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fontforge/ufo.c b/fontforge/ufo.c
+index 56643d0f1..e9d988854 100644
+--- a/fontforge/ufo.c
++++ b/fontforge/ufo.c
+@@ -2722,6 +2722,10 @@ static SplineChar *_UFOLoadGlyph(SplineFont *sf, xmlDocPtr doc, char *glifname,
+             for ( points=contour->children; points!=NULL; points=points->next )
+                 if ( xmlStrcmp(points->name,(const xmlChar *) "point")==0 )
+             break;
++            if (points == NULL) {
++                // The UFO3 specification allows empty contours, we just drop them.
++                continue;
++            }
+             for ( npoints=points->next; npoints!=NULL; npoints=npoints->next )
+                 if ( xmlStrcmp(npoints->name,(const xmlChar *) "point")==0 )
+             break;
+-- 
+2.49.0
+

fontforge-fix-crash-for-content-over-32767-characters-in-GDraw.patch

@@ -0,0 +1,84 @@
+From 0df57ac0d44fbe668f33a57593f94ba6c987a440 Mon Sep 17 00:00:00 2001
+From: Maxim Iorsh <iorsh@users.sourceforge.net>
+Date: Tue, 13 Jan 2026 19:10:56 +0200
+Subject: [PATCH] Fix crash for content over 32767 characters in GDraw
+ multiline text field (#5728)
+
+---
+ gdraw/ggadgetP.h   | 12 ++++++------
+ gdraw/gtextfield.c |  8 ++++----
+ 2 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/gdraw/ggadgetP.h b/gdraw/ggadgetP.h
+index 85b67ea06..b2115fc90 100644
+--- a/gdraw/ggadgetP.h
++++ b/gdraw/ggadgetP.h
+@@ -314,19 +314,19 @@ typedef struct gtextfield {
+     uint8_t fh;
+     uint8_t as;
+     uint8_t nw;			/* Width of one character (an "n") */
+-    int16_t xoff_left, loff_top;
+-    int16_t sel_start, sel_end, sel_base;
+-    int16_t sel_oldstart, sel_oldend, sel_oldbase;
+-    int16_t dd_cursor_pos;
++    int32_t xoff_left, loff_top;
++    int32_t sel_start, sel_end, sel_base;
++    int32_t sel_oldstart, sel_oldend, sel_oldbase;
++    int32_t dd_cursor_pos;
+     unichar_t *text, *oldtext;
+     FontInstance *font;
+     GTimer *pressed;
+     GTimer *cursor;
+     GCursor old_cursor;
+     GScrollBar *hsb, *vsb;
+-    int16_t lcnt, lmax;
++    int32_t lcnt, lmax;
+     int32_t *lines;		/* offsets in text to the start of the nth line */
+-    int16_t xmax;
++    int32_t xmax;
+     GIC *gic;
+     GTimer *numeric_scroll;
+     char *utf8_text;		/* For Pango */
+diff --git a/gdraw/gtextfield.c b/gdraw/gtextfield.c
+index 19b16274c..f56a9d6a6 100644
+--- a/gdraw/gtextfield.c
++++ b/gdraw/gtextfield.c
+@@ -633,7 +633,7 @@ static int GTextFieldSelForeword(unichar_t *text,int end) {
+ return( end );
+ }
+ 
+-static void GTextFieldSelectWord(GTextField *gt,int mid, int16_t *start, int16_t *end) {
++static void GTextFieldSelectWord(GTextField *gt,int mid, int32_t *start, int32_t *end) {
+     unichar_t *text;
+     unichar_t ch = gt->text[mid];
+ 
+@@ -664,7 +664,7 @@ static void GTextFieldSelectWord(GTextField *gt,int mid, int16_t *start, int16_t
+ }
+ 
+ static void GTextFieldSelectWords(GTextField *gt,int last) {
+-    int16_t ss, se;
++    int32_t ss, se;
+     GTextFieldSelectWord(gt,gt->sel_base,&gt->sel_start,&gt->sel_end);
+     if ( last!=gt->sel_base ) {
+ 	GTextFieldSelectWord(gt,last,&ss,&se);
+@@ -2185,7 +2185,7 @@ static void gtextfield_redraw(GGadget *g) {
+ 
+ static void gtextfield_move(GGadget *g, int32_t x, int32_t y ) {
+     GTextField *gt = (GTextField *) g;
+-    int fxo=0, fyo=0, bxo, byo;
++    int fxo=0, fyo=0, bxo=0, byo=0;
+ 
+     if ( gt->listfield || gt->numericfield ) {
+ 	fxo = ((GListField *) gt)->fieldrect.x - g->r.x;
+@@ -2209,7 +2209,7 @@ static void gtextfield_move(GGadget *g, int32_t x, int32_t y ) {
+ static void gtextfield_resize(GGadget *g, int32_t width, int32_t height ) {
+     GTextField *gt = (GTextField *) g;
+     int gtwidth=width, gtheight=height, oldheight=0;
+-    int fxo=0, fwo=0, fyo=0, bxo, byo;
++    int fxo=0, fwo=0, fyo=0, bxo=0, byo=0;
+     int l;
+ 
+     if ( gt->listfield || gt->numericfield ) {
+-- 
+2.49.0
+

fontforge-fix-crash-in-Metrics-View.patch

@@ -0,0 +1,48 @@
+From 46dc37435bc5b3daaf160f494cd36677d2bb8cb3 Mon Sep 17 00:00:00 2001
+From: Maxim Iorsh <iorsh@users.sourceforge.net>
+Date: Thu, 6 Nov 2025 22:54:52 +0200
+Subject: [PATCH] Fix crash in Metrics View (#5647)
+
+---
+ fontforge/tottf.c | 4 ++--
+ fontforge/ufo.c   | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fontforge/tottf.c b/fontforge/tottf.c
+index 1b686c0b1..dddd5d6a6 100644
+--- a/fontforge/tottf.c
++++ b/fontforge/tottf.c
+@@ -6174,7 +6174,7 @@ int _WriteTTFFont(FILE *ttf,SplineFont *sf,enum fontformat format,
+ 
+ 	fake_mappings = calloc(sf->glyphcnt,sizeof(bool));
+ 	for (i = 0; i < sf->glyphcnt; ++i) {
+-	    if (sf->glyphs[i]->unicodeenc == -1) {
++	    if (sf->glyphs[i] && sf->glyphs[i]->unicodeenc == -1) {
+ 		sf->glyphs[i]->unicodeenc = fake_unicode_base + sf->glyphs[i]->orig_pos;
+ 		fake_mappings[i] = true;
+ 	    }
+@@ -6222,7 +6222,7 @@ int _WriteTTFFont(FILE *ttf,SplineFont *sf,enum fontformat format,
+     // Remove temporarily assigned fake Private Area unicode point from all unmapped glyphs
+     if (flags & ttf_flag_fake_map) {
+ 	for (i = 0; i < sf->glyphcnt; ++i) {
+-	    if (fake_mappings[i])
++	    if (sf->glyphs[i] && fake_mappings[i])
+ 		sf->glyphs[i]->unicodeenc = -1;
+ 	}
+ 	free(fake_mappings);
+diff --git a/fontforge/ufo.c b/fontforge/ufo.c
+index e9d988854..d68633359 100644
+--- a/fontforge/ufo.c
++++ b/fontforge/ufo.c
+@@ -1050,7 +1050,7 @@ void clear_cached_ufo_paths(SplineFont * sf) {
+   // First we clear the glif names.
+   for (i = 0; i < sf->glyphcnt; i++) {
+     struct splinechar * sc = sf->glyphs[i];
+-    if (sc->glif_name != NULL) { free(sc->glif_name); sc->glif_name = NULL; }
++    if (sc && sc->glif_name != NULL) { free(sc->glif_name); sc->glif_name = NULL; }
+   }
+   // Then we clear the layer names.
+   for (i = 0; i < sf->layer_cnt; i++) {
+-- 
+2.49.0
+

fontforge-fix-crash-issue-in-allmarkglyphs.patch

@@ -0,0 +1,49 @@
+From 9d793fe90ea0c5356e3fb00fa31d0737e1c952fc Mon Sep 17 00:00:00 2001
+From: MihailJP <mihailjp@gmail.com>
+Date: Tue, 4 Nov 2025 02:29:32 +0900
+Subject: [PATCH] Fix crash issue in allmarkglyphs (#5668)
+
+---
+ fontforge/tottfgpos.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/fontforge/tottfgpos.c b/fontforge/tottfgpos.c
+index 73d4e01c3..895ba87b0 100644
+--- a/fontforge/tottfgpos.c
++++ b/fontforge/tottfgpos.c
+@@ -1821,24 +1821,24 @@ static SplineChar **allmarkglyphs(SplineChar ***glyphlist, int classcnt) {
+     int i, tot, k;
+ 
+     if ( classcnt==1 )
+-return( SFOrderedGlyphs(glyphlist[0]));
++        return( SFOrderedGlyphs(glyphlist[0]));
+ 
+     for ( i=tot=0; i<classcnt; ++i ) {
+-	for ( k=0; glyphlist[i][k]!=NULL; ++k );
+-	tot += k;
++        for ( k=0; glyphlist[i]!=NULL && glyphlist[i][k]!=NULL; ++k );
++        tot += k;
+     }
+     glyphs = malloc((tot+1)*sizeof(SplineChar *));
+     for ( i=tot=0; i<classcnt; ++i ) {
+-	for ( k=0; glyphlist[i][k]!=NULL; ++k )
+-	    glyphs[tot++] = glyphlist[i][k];
++        for ( k=0; glyphlist[i]!=NULL && glyphlist[i][k]!=NULL; ++k )
++            glyphs[tot++] = glyphlist[i][k];
+     }
+     qsort(glyphs,tot,sizeof(SplineChar *),orderglyph);
+     for ( i=k=0; i<tot; ++i ) {
+-	while ( i+1<tot && glyphs[i]==glyphs[i+1]) ++i;
+-	glyphs[k++] = glyphs[i];
++        while ( i+1<tot && glyphs[i]==glyphs[i+1]) ++i;
++        glyphs[k++] = glyphs[i];
+     }
+     glyphs[k] = NULL;
+-return( glyphs );
++    return( glyphs );
+ }
+ 
+ static void dumpgposAnchorData(FILE *gpos,AnchorClass *_ac,
+-- 
+2.49.0
+

fontforge-fix-crash-on-UpDown-keypress-in-the-feature-list.patch

@@ -0,0 +1,31 @@
+From aca4f524c6cb14cdc7bc4cd493492a33f5154797 Mon Sep 17 00:00:00 2001
+From: Phil Krylov <phil@krylov.eu>
+Date: Mon, 17 Nov 2025 19:55:43 +0100
+Subject: [PATCH] Metrics view: Fix crash on Up/Down keypress while in the
+ feature list (#5683)
+
+---
+ fontforgeexe/metricsview.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fontforgeexe/metricsview.c b/fontforgeexe/metricsview.c
+index 8284673e4..c6d38f410 100644
+--- a/fontforgeexe/metricsview.c
++++ b/fontforgeexe/metricsview.c
+@@ -4327,8 +4327,12 @@ static void MVChar(MetricsView *mv,GEvent *event)
+ 	    //      should always move up/down in the list of kerning words.
+ 	    if( active != mv->text )
+ 	    {
++		const unichar_t *title = _GGadgetGetTitle(active);
++		if (!title)
++		    return;
++
+ 		unichar_t *end;
+-		double val = u_strtod(_GGadgetGetTitle(active),&end);
++		double val = u_strtod(title,&end);
+ 		if (isValidInt(end)) {
+ 		    int dir = ( event->u.chr.keysym == GK_Up || event->u.chr.keysym==GK_KP_Up ) ? 1 : -1;
+ 		    if( event->u.chr.state&ksm_control && event->u.chr.state&ksm_shift ) {
+-- 
+2.49.0
+

fontforge-fix-multiple-crashes-in-Multiple-Masters.patch

@@ -0,0 +1,180 @@
+From dfe5c8035d716e99ebd0fdb1c49ea623d94737a7 Mon Sep 17 00:00:00 2001
+From: Maxim Iorsh <iorsh@users.sourceforge.net>
+Date: Mon, 19 Jan 2026 22:45:20 +0200
+Subject: [PATCH] Fix multiple crashes in Multiple Masters (#5733)
+
+* Fix corruption in SFMakeChar() for MM fonts
+* Crash when opening MM font with kerning
+* Fix crash for missing MM Mac name
+---
+ Unicode/memory.c     |  7 +++++++
+ Unicode/ustring.c    |  2 +-
+ fontforge/encoding.c | 40 ++++++++++++++++++++++++++--------------
+ fontforge/sfd.c      |  4 +++-
+ fontforgeexe/mmdlg.c |  6 +++---
+ inc/basics.h         |  2 ++
+ 6 files changed, 42 insertions(+), 19 deletions(-)
+
+diff --git a/Unicode/memory.c b/Unicode/memory.c
+index 774b138fd..1613f7730 100644
+--- a/Unicode/memory.c
++++ b/Unicode/memory.c
+@@ -39,6 +39,13 @@ void NoMoreMemMessage(void) {
+     fprintf(stderr, "Out of memory\n" );
+ }
+ 
++void ExpandBuffer(void** p_buf, size_t elem_size, size_t increment,
++                  int* p_maxalloc) {
++    *p_buf = realloc(*p_buf, (*p_maxalloc + increment) * elem_size);
++    memset((char*)*p_buf + (*p_maxalloc) * elem_size, 0, increment * elem_size);
++    *p_maxalloc += increment;
++}
++
+ char *copy(const char *str) {
+     return str ? strdup(str) : NULL;
+ }
+diff --git a/Unicode/ustring.c b/Unicode/ustring.c
+index b0fe3387e..893eeedf2 100644
+--- a/Unicode/ustring.c
++++ b/Unicode/ustring.c
+@@ -535,7 +535,7 @@ unichar_t *utf82u_strncpy(unichar_t *ubuf,const char *utf8buf,int len) {
+ }
+ 
+ unichar_t *utf82u_strcpy(unichar_t *ubuf,const char *utf8buf) {
+-return( utf82u_strncpy(ubuf,utf8buf,strlen(utf8buf)+1));
++return( utf82u_strncpy(ubuf,utf8buf,c_strlen(utf8buf)+1));
+ }
+ 
+ unichar_t *utf82u_copyn(const char *utf8buf,int len) {
+diff --git a/fontforge/encoding.c b/fontforge/encoding.c
+index 194ecd035..6eb9c6dc7 100644
+--- a/fontforge/encoding.c
++++ b/fontforge/encoding.c
+@@ -1233,7 +1233,7 @@ enum cmaptype { cmt_out=-1, cmt_coderange, cmt_notdefs, cmt_cid, cmt_max };
+ struct coderange { uint32_t first, last, cid; };
+ struct cmap {
+     struct {
+-	int n;
++	size_t n;
+ 	struct coderange *ranges;
+     } groups[cmt_max];
+     char *registry;
+@@ -1253,7 +1253,7 @@ static void cmapfree(struct cmap *cmap) {
+     free(cmap);
+ }
+ 
+-static struct coderange *ExtendArray(struct coderange *ranges,int *n, int val) {
++static struct coderange *ExtendArray(struct coderange *ranges, size_t *n, int val) {
+     if ( *n == 0 )
+ 	ranges = calloc(val,sizeof(struct coderange));
+     else {
+@@ -1280,7 +1280,8 @@ static struct cmap *ParseCMap(char *filename) {
+     FILE *file;
+     struct cmap *cmap;
+     char *end, *pt;
+-    int val, pos;
++    int val;
++    size_t pos;
+     enum cmaptype in;
+     int in_is_single; // We set this if we are to parse cidchars into cidranges.
+     static const char *bcsr = "begincodespacerange", *bndr = "beginnotdefrange", *bcr = "begincidrange", *bcc = "begincidchar";
+@@ -2363,21 +2364,32 @@ return( any );
+ }
+ 
+ void SFAddGlyphAndEncode(SplineFont *sf,SplineChar *sc,EncMap *basemap, int baseenc) {
+-    int gid, mapfound = false;
++    int j, gid, mapfound = false;
+     FontViewBase *fv;
+     BDFFont *bdf;
+ 
+     if ( sf->cidmaster==NULL ) {
+-	if ( sf->glyphcnt+1>=sf->glyphmax )
+-	    sf->glyphs = realloc(sf->glyphs,(sf->glyphmax+=10)*sizeof(SplineChar *));
+-	gid = sf->glyphcnt++;
+-	for ( bdf = sf->bitmaps; bdf!=NULL; bdf=bdf->next ) {
+-	    if ( sf->glyphcnt+1>=bdf->glyphmax )
+-		bdf->glyphs = realloc(bdf->glyphs,(bdf->glyphmax=sf->glyphmax)*sizeof(BDFChar *));
+-	    if ( sf->glyphcnt>bdf->glyphcnt ) {
+-		memset(bdf->glyphs+bdf->glyphcnt,0,(sf->glyphcnt-bdf->glyphcnt)*sizeof(BDFChar *));
+-		bdf->glyphcnt = sf->glyphcnt;
+-	    }
++        if (sf->glyphcnt + 1 > sf->glyphmax)
++            ExpandBuffer((void**)&sf->glyphs, sizeof(SplineChar*), 10,
++                         &sf->glyphmax);
++        gid = sf->glyphcnt++;
++        for (bdf = sf->bitmaps; bdf != NULL; bdf = bdf->next) {
++            if (sf->glyphcnt + 1 > bdf->glyphmax)
++                ExpandBuffer((void**)&bdf->glyphs, sizeof(BDFChar*),
++                             sf->glyphmax - bdf->glyphmax, &bdf->glyphmax);
++        }
++        if (sf->mm != NULL) {
++            if (sf->mm->normal->glyphmax < sf->glyphmax)
++                ExpandBuffer((void**)&sf->mm->normal->glyphs,
++                             sizeof(SplineChar*),
++                             sf->glyphmax - sf->mm->normal->glyphmax,
++                             &sf->mm->normal->glyphmax);
++            for (j = 0; j < sf->mm->instance_count; ++j)
++                if (sf->mm->instances[j]->glyphmax < sf->glyphmax)
++                    ExpandBuffer((void**)&sf->mm->instances[j]->glyphs,
++                                 sizeof(SplineChar*),
++                                 sf->glyphmax - sf->mm->instances[j]->glyphmax,
++                                 &sf->mm->instances[j]->glyphmax);
+ 	}
+ 	for ( fv=sf->fv; fv!=NULL; fv = fv->nextsame ) {
+ 	    EncMap *map = fv->map;
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index a349d0b2f..f3c84080d 100644
+--- a/fontforge/sfd.c
++++ b/fontforge/sfd.c
+@@ -9014,7 +9014,9 @@ exit( 1 );
+ 	    }
+ 	}
+     }
+-    if ( sf->cidmaster==NULL )
++
++    /* MM font has already been already fixed up. */
++    if (sf->cidmaster == NULL && sf->mm == NULL)
+ 	SFDFixupRefs(sf);
+ 
+     if ( !haddupenc )
+diff --git a/fontforgeexe/mmdlg.c b/fontforgeexe/mmdlg.c
+index 1baf9ffda..540afdd1c 100644
+--- a/fontforgeexe/mmdlg.c
++++ b/fontforgeexe/mmdlg.c
+@@ -1632,7 +1632,7 @@ return( NULL );
+ 	pt[-1] = ']';
+ 	ustyle = PickNameFromMacName(mmw->old->named_instances[i].names);
+ 	ti[i].bg = ti[i].fg = COLOR_DEFAULT;
+-	ti[i].text = malloc((strlen(buffer)+3+strlen(ustyle))*sizeof(unichar_t));
++	ti[i].text = calloc(strlen(buffer)+3+c_strlen(ustyle), sizeof(unichar_t));
+ 	utf82u_strcpy(ti[i].text,ustyle);
+ 	uc_strcat(ti[i].text," ");
+ 	uc_strcat(ti[i].text,buffer);
+@@ -1762,9 +1762,9 @@ static void MMW_ParseNamedStyles(MMSet *setto,MMW *mmw) {
+ 
+ static void MMW_DoOK(MMW *mmw) {
+     real weights[AppleMmMax+1];
+-    real fbt;
++    real fbt = 0.;
+     int err = false;
+-    char *familyname, *fn, *origname=NULL;
++    char *familyname, *fn=NULL, *origname=NULL;
+     int i,j;
+     MMSet *setto, *dlgmm;
+     FontView *fv = NULL;
+diff --git a/inc/basics.h b/inc/basics.h
+index 86f0db712..9204285d5 100644
+--- a/inc/basics.h
++++ b/inc/basics.h
+@@ -73,6 +73,8 @@ typedef uint32_t unichar_t;
+ #endif
+ 
+ extern void NoMoreMemMessage(void);
++extern void ExpandBuffer(void** p_buf, size_t elem_size, size_t increment,
++                         int* p_maxalloc);
+ 
+ static inline int imin(int a, int b)
+ {
+-- 
+2.49.0
+

fontforge.changes

@@ -1,3 +1,279 @@
+-------------------------------------------------------------------
+Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <qzhao@suse.com>
+
+- Add fontforge-fix-multiple-crashes-in-Multiple-Masters.patch:
+  Backport dfe5c803 from upstream, Fix multiple crashes in Multiple
+  Masters.
+
+-------------------------------------------------------------------
+Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <qzhao@suse.com>
+
+- Add fontforge-fix-crash-for-content-over-32767-characters-in-GDraw.patch:
+  Backport 0df57ac0 from upstream, fix crash for content over 32767
+  characters in GDraw multiline text field.
+
+-------------------------------------------------------------------
+Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <qzhao@suse.com>
+
+- Add fontforge-CVE-2025-15279-part02_720ea950.patch:
+  Backport 720ea950 from upstream, Move bounds check inside
+  cnt >= 3 block.
+  (CVE-2025-15279, ZDI-CAN-27517, bsc#1256013)
+
+-------------------------------------------------------------------
+Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <qzhao@suse.com>
+
+- Add fontforge-CVE-2025-15269.patch:
+  Backport 6aea6db5 from upstream, Use-after-free in SFD ligature
+  parsing.
+  (CVE-2025-15269, ZDI-25-1195, ZDI-CAN-28564, bsc#1256032)
+
+-------------------------------------------------------------------
+Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <qzhao@suse.com>
+
+- Add fontforge-CVE-2025-15275.patch:
+  Backport 71954027 from upstream, Fix heap buffer overflow in SFD
+  image parsing.
+  (CVE-2025-15275 ZDI-25-1189 ZDI-CAN-28543 bsc#1256025)
+
+-------------------------------------------------------------------
+Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <qzhao@suse.com>
+
+- Add fontforge-CVE-2025-15279-part01_7d67700c.patch:
+  Backport 7d67700c from upstream, Fix heap buffer overflow in BMP
+  RLE decompression.
+  (CVE-2025-15279, ZDI-CAN-27517, bsc#1256013)
+
+-------------------------------------------------------------------
+Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <qzhao@suse.com>
+
+- Add fontforge-fix-crash-on-UpDown-keypress-in-the-feature-list.patch:
+  Backport aca4f524 from upstream, Metrics view: Fix crash on Up/Down
+  keypress while in the feature list.
+
+-------------------------------------------------------------------
+Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <qzhao@suse.com>
+
+- Add fontforge-fix-crash-in-Metrics-View.patch
+  Backport 46dc37435 from upstream, Fix crash in Metrics View.
+
+-------------------------------------------------------------------
+Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <qzhao@suse.com>
+
+- Add fontforge-fix-UFO-crash-for-empty-contours.patch
+  Backport 77b1b148 from upstream, Fix UFO crash for empty contours.
+
+-------------------------------------------------------------------
+Wed Jan 21 15:07:19 UTC 2026 - Cliff Zhao <qzhao@suse.com>
+
+- Add fontforge-fix-crash-issue-in-allmarkglyphs.patch:
+  Backport 9d793fe9 from upstream, fix crash issue in allmarkglyphs.
+
+-------------------------------------------------------------------
+Mon Jan 19 02:51:42 UTC 2026 - Cliff Zhao <qzhao@suse.com>
+
+- Update fontforge.spec to get rid of  update-desktop-files:
+  * It often duplicates upstream translation effort, wasting a human
+    work, both community translators and contracted ones.
+  * Most of these translations are ~20 years old, and they were never
+    reviewed, so it is possible that they are worse than the upstream
+    ones. In the last 20 years it did not provide any way to upstream
+    the changes and translations. The upstream translations got another
+    20 years of development. Also Desktop Categories specification was
+    updated, and the upstream specification now covers all aspects of
+    former X-SuSE-* Categories extensions.
+  * As a result, the SUSE desktop menu experience differs from other
+    vendors. Applications have a different name, different translations,
+    different placement in the structured menu etc.
+  * Upstream translations have a wider impact.
+  * Package maintainers have only a limited control over the contents
+    visible to users. It is imported during the runtime, and the visible
+    contents could be different from the contents in the package.
+  * update-desktop-files is a complicated tool. It attempts to fix
+    deprecated and obsolete stuff in the desktop files without even
+    informing the developer that something was wrong and something was
+    modified.
+  * It uses a very complicated toolchain that requires access to SUSE
+    intranet and access to OpenQA VPN. The complete toolchain setup was
+    never published, so it has even problems with Open Source ideas.
+  * It mixes SUSE-unique translations with translations that just
+    duplicate the upstream translation effort. As a result it significantly
+    increases number of strings to translate and decreases the quality of
+    the translation.
+  (jsc#PED-14507)
+
+-------------------------------------------------------------------
+Sun Oct 12 13:02:51 UTC 2025 - MihailJP <mihailjp@gmail.com>
+
+- Update to version 20251009
+  * Update documentation for py scripts (#5180)
+  * Update GitHub CI runners (#5328)
+  * Update po files from Croudin sources. (#5330)
+  * Use consistent Python in MacOS GitHub runner (#5331)
+  * Fix CI for Windows GitHub runner (#5335)
+  * Fix lookup flags parsing (#5338)
+  * Fixes (#5332): glyph file names uXXXXX (#5333)
+  * make harmonization robust and avoid zero handles after harmonization (#5262)
+  * Quiet strict prototypes warnings. (#5313)
+  * Fix crash in parsegvar() due to insufficient buffer (#5339)
+  * Handle failed iconv conversion. Unhandled execution path was UB, causing a segfault for me (#5329)
+  * Fix CMake function _get_git_version() (#5342)
+  * Don't require individual tuple encapsulation in fontforge.font.bitmapSizes setter (#5138)
+  * nltransform of anchor points (#5345)
+  * Fix generateFontPostHook being called instead of generateFontPreHook (#5226)
+  * Always set usDefaultChar to 0 (.notdef) (#5242)
+  * add font attributes, method to Python docs (#5353)
+  * fix segfault triggered by Python del c[i:j] (#5352)
+  * Autoselect internal WOFF2 format (#5346)
+  * 📝 Fix typos in the FAQ (#5355)
+  * add font.style_set_names attribute to Python API (#5354)
+  * Bulk tester (#5365)
+  * Fix Splinefont shell invocation (#5367)
+  * Fix the lists of Windows language IDs (#5359)
+  * Support suplementary planes in SFD (emojis etc.) (#5364)
+  * Remove psaltnames for multi-code-point names (#5305)
+  * doc: added missing sudo to installation instructions (#5300)
+  * Fix data corruption on SFD reading (#5380)
+  * Compare vertical metrics check when generating TTC (#5372)
+  * Treat FT_PIXEL_MODE_MONO as 2 grey levels (#5379)
+  * Don't attempt to copy anchors into NULL font (#5405)
+  * Fix export of supplementary plane characters in font name to TTF (#5396)
+  * Defer crowdin update to the end of the pipeline (#5409)
+  * Fix generated feature file bugs (#5384)
+  * crowdin: update to java 17 (#5447)
+  * Remove assert from Python script processor (#5410)
+  * Use sysconfig for Python module locations (#5423)
+  * Use PyConfig API on Python 3.8 (#5404)
+  * Fix resource leak in unParseTTInstrs (#5476)
+  * Only install GUI-specific files if ENABLE_GUI is set (#5451)
+  * add math device tables to Python API (#5348)
+  * Update CI runner to macOS 13 (#5482)
+  * Allow hyphen and special characters in Feature File glyph names (#5358)
+  * Fix Python font.appendSFNTName() function (#5494)
+  * Update mm.c (#5386)
+  * Warning rollup (probably some hidden bugs!) from clang trunk (#5492)
+  * Fix function PyFFFont_addSmallCaps. (#5519)
+  * Make SmallCaps() create symbols (#5517)
+  * Segfault fix and complete implementation of "Don't generate FFTM tables" (#5509)
+  * Modernize fixed pitch flag computation (#5506)
+  * fix memleak in function utf7toutf8_copy (#5495)
+  * Avoid crashes in Python scripts when objects are accessed in invalid state (#5483)
+  * Fix CI for Ubuntu 24 (#5531)
+  * Bump GitHub CI runner to Ubuntu 22 (#5551)
+  * Fix memory corruption in SFUnicodeRanges() (#5537)
+  * Add contour draw option to H.Metrics. (#5496)
+  * Fix scaling of references in CharView (#5558)
+  * Fix TTF validation on load for fixed pitch fonts (#5562)
+  * Performance fixes for GSUB/GPOS dumps (#5547)
+  * Simple GTK-based dialog with CSS appearance support (#5546)
+  * Support Harfbuzz in Metrics View (#5522)
+  * Update po files from crowdin translations (#5575)
+  * Be more clever about label text in gtextfield (#5583)
+  * Add minimal support for GDEF version 1.3 (#5584)
+  * Sanitize messages from python (#5589)
+  * Fix a crash caused by deleting a glyph with vertical kerning pairs. (#5592)
+  * THEME -> GUI_THEME (#5596)
+  * Update po translations from Crowdin (#5593)
+  * Upgrade to Unicode 16.0.0 (#5594)
+  * Fix Linux AppImage (#5599)
+  * Upgrade to Unicode 17.0.0 and extend the language and script lists (#5618)
+  * Remove X11 and non-Cairo drawing backends (#5612)
+  * Add macOS dependency setup script (#5563)
+  * Fix hotkeys in BitmapView (#5626)
+  * Manually install Inno Setup 6 (#5621)
+  * Remove cv->back_img_out_of_date and cv->backimgs (#5625)
+  * fix spelling "bt" -> "but" (#5636)
+  * Fix typos in Python module docs (#5634)
+  * October 2025 release (#5632)
+  * fix memleak in function DlgCreate8 (#5491).
+    Remove da98987f.patch.
+    (CVE-2025-50949, bsc#1252652)
+
+-------------------------------------------------------------------
+Fri Oct 10 12:18:21 UTC 2025 - Cliff Zhao <qzhao@suse.com>
+
+- Add da98987f.patch:
+  Backport da98987f from upstream, fix memleak in function DlgCreate8.
+  (CVE-2025-50949, bsc#1252652)
+
+-------------------------------------------------------------------
+Mon May 26 06:39:39 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
+
+- Update to version 20230101+git59.770356c9b:
+  * Add contour draw option to H.Metrics. (#5496)
+  * Fix memory corruption in SFUnicodeRanges() (#5537)
+  * Bump GitHub CI runner to Ubuntu 22 (#5551)
+  * Fix CI for Ubuntu 24 (#5531)
+  * Avoid crashes in Python scripts when objects are accessed in
+    invalid state (#5483)
+  * fix memleak in function utf7toutf8_copy (#5495)
+  * Modernize fixed pitch flag computation (#5506)
+  * Segfault fix and complete implementation of "Don't generate
+    FFTM tables" (#5509)
+  * Make SmallCaps() translate symbols, too.  Update
+    documentation accordingly. (#5517)
+  * Fix function PyFFFont_addSmallCaps. (#5519)
+  * Warning rollup (probably some hidden bugs!) from clang trunk
+    (#5492)
+  * Update mm.c (#5386)
+  * fix memleak in function DlgCreate8 (#5491)
+  * Fix Python font.appendSFNTName() function (#5494)
+  * Allow hyphen and special characters in Feature File glyph names
+    (#5358)
+  * Update CI runner to macOS 13 (#5482)
+  * add math device tables to Python API (#5348)
+  * Only install GUI-specific files if ENABLE_GUI is set (#5451)
+  * Fix resource leak in unParseTTInstrs (#5476)
+  * Use PyConfig API on Python 3.8 (#5404)
+  * Use sysconfig for Python module locations (#5423)
+  * More crowdin fix
+  * Python script shall trigger no asserts (#5410)
+  * crowdin: update to java 17 (#5447)
+  * try fix crowdin
+  * Fix generated feature file bugs (#5384)
+  * Defer crowdin update to the end of the pipeline (#5409)
+  * Fix export of supplementary plane characters in font name to
+    TTF (#5396)
+  * Don't attempt to copy anchors into NULL font (#5405)
+  * Treat FT_PIXEL_MODE_MONO as 2 grey levels (#5379)
+  * Compare vertical metrics check when generating TTC (#5372)
+  * Fix data corruption on SFD reading (#5380)
+  * doc: added missing sudo to installation instructions (#5300)
+  * Remove `psaltnames` for multi-code-point names (#5305)
+  * Support suplementary planes in SFD (emojis etc.) (#5364)
+  * Fix the lists of Windows language IDs (#5359)
+  * fix splinefont shell command injection (#5367)
+  * Bulk tester (#5365)
+  * add `font.style_set_names` attribute to Python API (#5354)
+  * Fix typos in the FAQ (#5355)
+  * Autoselect internal WOFF2 format (#5346)
+  * fix segfault triggered by Python `del c[i:j]` (#5352)
+  * add `font` attributes, method to Python docs (#5353)
+  * Always set `usDefaultChar` to 0 (.notdef) (#5242)
+  * Fix generateFontPostHook being called instead of
+    generateFontPreHook (#5226)
+  * nltransform of anchor points (#5345)
+  * Don't require individual tuple encapsulation in
+    fontforge.font.bitmapSizes setter (#5138)
+  * Fix CMake function _get_git_version() (#5342)
+  * Handle failed iconv conversion. Unhandled execution path was
+    UB, causing a segfault for me (#5329)
+  * Fix crash in parsegvar() due to insufficient buffer (#5339)
+  * Quiet strict prototypes warnings. (#5313)
+  * harmonizing can now no longer produce zero handles, the
+    computation of harmonization is now numerically robust (#5262)
+  * Fix glyph file names uXXXXX (#5333)
+  * Fix lookup flags parsing (#5338)
+  * Duplicate libfontforge.dll for "py" and "pyhook" tests. (#5335)
+  * Use consistent Python in MacOS GitHub runner (#5331)
+  * Update po files from Croudin sources after fixing problems
+  * Fix GinHub CI runners (#5328)
+  * Update local scripts directory (#5180)
+- Remove patches already included by upstream:
+  * fontforge-CVE-2024-25081-CVE-2024-25082.patch
+  * 642d8a3db6d4bc0e70b429622fdf01ecb09c4c10.patch
+  * use-sysconfig-not-distutils.patch
+
 -------------------------------------------------------------------
 Thu Nov 21 20:31:36 UTC 2024 - Dirk Müller <dmueller@suse.com>
 
@@ -107,6 +383,8 @@ Sun Mar 20 21:20:14 UTC 2022 - Dirk Müller <dmueller@suse.com>
   * UFO include path is altered, please update your fonts if needed
   * FontForge is now compiled with -Wall by default
   * Cidmaps are now bundled
+  * Move help to gutils, help to avoid not validate strings before launching issue.
+  (CVE-2017-17521, bsc#1073014)
 - drop fix-return-statement.patch. obsolete
 
 -------------------------------------------------------------------
@@ -720,7 +998,7 @@ Tue Apr 10 2001 - Scott Pakin <pakin@uiuc.edu>
 - Upgraded from 210301 to 020401.
 
 -------------------------------------------------------------------
-Thu Mar 22 2001 Scott Pakin <pakin@uiuc.edu>
+Thu Mar 22 2001 - Scott Pakin <pakin@uiuc.edu>
 
 - Initial release
 

fontforge.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package fontforge
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,21 +17,36 @@
 
 
 Name:           fontforge
-Version:        20230101
+Version:        20251009
 Release:        0
 Summary:        A Font Editor
 License:        GPL-3.0-or-later
 URL:            https://fontforge.org/
-Source0:        https://github.com/fontforge/fontforge/archive/%{version}.tar.gz
-# workaround for bug 930076, imho upstream should fix this
-# https://github.com/fontforge/fontforge/issues/2270
+Source0:        https://github.com/fontforge/fontforge/releases/download/%{version}/fontforge-%{version}.tar.xz
+# PATCH-FIX-OPENSUSE fontforge-version.patch pgajdos@suse.com -- fontforge --version now returns fontforge release version.
 Patch0:         fontforge-version.patch
+# PATCH-FIX-OPENSUSE add-bitmap-transform-support.patch boo#1169444 alarrosa@suse.com -- support transforming bitmap glyphs from python with one of the predefined transformations.
 Patch1:         add-bitmap-transform-support.patch
-# PATCH-FIX-UPSTREAM fontforge-CVE-2024-25081-CVE-2024-25082.patch CVE-2024-25081 CVE-2024-25082 bsc#1220404 bsc#1220405 qzhao@suse.com -- Fix Splinefont shell invocation.
-Patch2:         fontforge-CVE-2024-25081-CVE-2024-25082.patch
-Patch3:         https://github.com/fontforge/fontforge/commit/642d8a3db6d4bc0e70b429622fdf01ecb09c4c10.patch
-# PATCH-FIX-UPSTREAM: taken from https://github.com/fontforge/fontforge/commit/8c75293e924602ed09a9481b0eeb67ba6c623a81
-Patch4:         use-sysconfig-not-distutils.patch
+# PATCH-FIX-UPSTREAM fontforge-fix-crash-issue-in-allmarkglyphs.patch qzhao@suse.com -- Fix crash issue in allmarkglyphs (#5668).
+Patch2:         fontforge-fix-crash-issue-in-allmarkglyphs.patch
+# PATCH-FIX-UPSTREAM fontforge-fix-UFO-crash-for-empty-contours.patch qzhao@suse.com -- Fix UFO crash for empty contours (#5645).
+Patch3:         fontforge-fix-UFO-crash-for-empty-contours.patch
+# PATCH-FIX-UPSTREAM fontforge-fix-crash-in-Metrics-View.patch qzhao@suse.com -- Fix crash in Metrics View (#5647).
+Patch4:         fontforge-fix-crash-in-Metrics-View.patch
+# PATCH-FIX-UPSTREAM fontforge-fix-crash-on-UpDown-keypress-in-the-feature-list.patch qzhao@suse.com -- Metrics view: Fix crash on Up/Down keypress while in the feature list (#5683).
+Patch5:         fontforge-fix-crash-on-UpDown-keypress-in-the-feature-list.patch
+# PATCH-FIX-UPSTREAM fontforge-CVE-2025-15279-part01_7d67700c.patch CVE-2025-15279 ZDI-CAN-27517 bsc#1256013 qzhao@suse.com -- Fix CVE-2025-15279: Heap buffer overflow in BMP RLE decompression (#5720)
+Patch6:         fontforge-CVE-2025-15279-part01_7d67700c.patch
+# PATCH-FIX-UPSTREAM fontforge-CVE-2025-15275.patch CVE-2025-15275 ZDI-25-1189 ZDI-CAN-28543 bsc#1256025 qzhao@suse.com -- Fix CVE-2025-15275: Heap buffer overflow in SFD image parsing (#5721).
+Patch7:         fontforge-CVE-2025-15275.patch
+# PATCH-FIX-UPSTREAM fontforge-CVE-2025-15269.patch CVE-2025-15269 ZDI-25-1195 ZDI-CAN-28564 bsc#1256032 qzhao@suse.com -- Fix CVE-2025-15269: Use-after-free in SFD ligature parsing (#5722).
+Patch8:         fontforge-CVE-2025-15269.patch
+# PATCH-FIX-UPSTREAM fontforge-CVE-2025-15279-part02_720ea950.patch CVE-2025-15279 ZDI-CAN-27517 bsc#1256013 qzhao@suse.com -- Fix CVE-2025-15279: Move bounds check inside cnt >= 3 block (#5723).
+Patch9:         fontforge-CVE-2025-15279-part02_720ea950.patch
+# PATCH-FIX-UPSTREAM fontforge-fix-crash-for-content-over-32767-characters-in-GDraw.patch qzhao@suse.com -- Fix crash for content over 32767 characters in GDraw multiline text field (#5728).
+Patch10:        fontforge-fix-crash-for-content-over-32767-characters-in-GDraw.patch
+# PATCH-FIX-UPSTREAM fontforge-fix-multiple-crashes-in-Multiple-Masters.patch qzhao@suse.com -- Fix multiple crashes in Multiple Masters (#5733).
+Patch11:        fontforge-fix-multiple-crashes-in-Multiple-Masters.patch
 BuildRequires:  cairo-devel
 BuildRequires:  cmake
 BuildRequires:  fdupes
@@ -42,26 +57,25 @@ BuildRequires:  gettext-tools
 BuildRequires:  giflib-devel
 BuildRequires:  git
 BuildRequires:  gtk3-devel
+BuildRequires:  gtkmm3-devel
 BuildRequires:  hicolor-icon-theme
 BuildRequires:  libjpeg-devel
 BuildRequires:  libpng-devel
+BuildRequires:  libspiro-devel
 BuildRequires:  libtiff-devel
 BuildRequires:  libtool
 BuildRequires:  libxml2-devel
 BuildRequires:  pango-devel
 BuildRequires:  pkgconfig
 BuildRequires:  python3-Sphinx
-BuildRequires:  python3-devel
+BuildRequires:  python3-devel >= 3.8
 BuildRequires:  readline-devel
-BuildRequires:  update-desktop-files
 BuildRequires:  woff2-devel
+BuildRequires:  xz
 BuildRequires:  zlib-devel
 BuildRequires:  pkgconfig(x11)
 BuildRequires:  pkgconfig(xft)
 BuildRequires:  pkgconfig(xi)
-%if 0%{?suse_version} > 1210
-BuildRequires:  libspiro-devel
-%endif
 
 %description
 FontForge allows editing of outline and bitmap fonts.  With it, you can
@@ -71,9 +85,7 @@ some Type 0s), TrueType, OpenType (Type2), and CID-keyed fonts.
 
 %package doc
 Summary:        Documentation for FontForge
-%if 0%{?suse_version} >= 1230
 BuildArch:      noarch
-%endif
 
 %description doc
 FontForge allows editing of outline and bitmap fonts. With it, you can
@@ -104,7 +116,6 @@ to develop applications that use FontForge libraries.
 
 %install
 %cmake_install
-%suse_update_desktop_file -i org.fontforge.FontForge VectorGraphics
 %find_lang FontForge
 find %{buildroot} -type f -name "*.la" -delete -print
 rm %{buildroot}%{_docdir}/%{name}/html/.buildinfo

use-sysconfig-not-distutils.patch

@@ -1,54 +0,0 @@
-From 8c75293e924602ed09a9481b0eeb67ba6c623a81 Mon Sep 17 00:00:00 2001
-From: Maxim Iorsh <iorsh@users.sourceforge.net>
-Date: Mon, 7 Oct 2024 11:44:00 +0300
-Subject: [PATCH] Use sysconfig for Python module locations (#5423)
-
-* Use sysconfig for Python module locations
-
-* [TEMP] Use iorsh/fontforgebuilds repo
-
-* [TEMP] Use iorsh/fontforgebuilds repo in Appveyor
-
-* Update
-
-* Revert "[TEMP] Use iorsh/fontforgebuilds repo in Appveyor"
-
-This reverts commit 6fa80455b8b1e7cf43419c73e4de714f7925d9f8.
-
-* test
-
-* Cleanup
-
-* test
-
-* Removed debug prints
-
----------
-
-Co-authored-by: Jeremy Tan <jtanx@outlook.com>
----
- .github/workflows/main.yml                    | 24 +++++++++----------
- .github/workflows/scripts/ffosxbuild.sh       |  7 ++++--
- .github/workflows/scripts/setup_linux_deps.sh |  2 +-
- CMakeLists.txt                                |  6 -----
- osx/CMakeLists.txt                            |  2 +-
- pyhook/CMakeLists.txt                         |  5 +++-
- 6 files changed, 23 insertions(+), 23 deletions(-)
-
-diff --git a/pyhook/CMakeLists.txt b/pyhook/CMakeLists.txt
-index dd48054aa7..53708f1099 100644
---- a/pyhook/CMakeLists.txt
-+++ b/pyhook/CMakeLists.txt
-@@ -20,8 +20,11 @@ target_link_libraries(psMat_pyhook PRIVATE Python3::Module)
- # FindPython3 provides Python3_SITEARCH, but this is an absolute path
- # So do it ourselves, getting the prefix-relative path instead
- if(NOT DEFINED PYHOOK_INSTALL_DIR)
-+  if(APPLE)
-+    set(_PYHOOK_SYSCONFIG_PREFIX " 'posix_prefix',")
-+  endif()
-   execute_process(
--    COMMAND "${Python3_EXECUTABLE}" -c "import distutils.sysconfig as sc; print(sc.get_python_lib(prefix='', plat_specific=True,standard_lib=False))"
-+    COMMAND "${Python3_EXECUTABLE}" -c "import sysconfig as sc; print(sc.get_path('platlib',${_PYHOOK_SYSCONFIG_PREFIX} vars={'platbase': '.'}))"
-     RESULT_VARIABLE _pyhook_install_dir_result
-     OUTPUT_VARIABLE PYHOOK_INSTALL_DIR
-     OUTPUT_STRIP_TRAILING_WHITESPACE)