Accepting request 1280084 from M17N

- Update to version 20230101+git59.770356c9b:
  * Add contour draw option to H.Metrics. (#5496)
  * Fix memory corruption in SFUnicodeRanges() (#5537)
  * Bump GitHub CI runner to Ubuntu 22 (#5551)
  * Fix CI for Ubuntu 24 (#5531)
  * Avoid crashes in Python scripts when objects are accessed in
    invalid state (#5483)
  * fix memleak in function utf7toutf8_copy (#5495)
  * Modernize fixed pitch flag computation (#5506)
  * Segfault fix and complete implementation of "Don't generate
    FFTM tables" (#5509)
  * Make SmallCaps() translate symbols, too.  Update
    documentation accordingly. (#5517)
  * Fix function PyFFFont_addSmallCaps. (#5519)
  * Warning rollup (probably some hidden bugs!) from clang trunk
    (#5492)
  * Update mm.c (#5386)
  * fix memleak in function DlgCreate8 (#5491)
  * Fix Python font.appendSFNTName() function (#5494)
  * Allow hyphen and special characters in Feature File glyph names
    (#5358)
  * Update CI runner to macOS 13 (#5482)
  * add math device tables to Python API (#5348)
  * Only install GUI-specific files if ENABLE_GUI is set (#5451)
  * Fix resource leak in unParseTTInstrs (#5476)
  * Use PyConfig API on Python 3.8 (#5404)
  * Use sysconfig for Python module locations (#5423)
  * More crowdin fix
  * Python script shall trigger no asserts (#5410)
  * crowdin: update to java 17 (#5447)

OBS-URL: https://build.opensuse.org/request/show/1280084
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fontforge?expand=0&rev=61

_service

@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<services>
+  <service name="obs_scm" mode="manual">
+    <param name="scm">git</param>
+    <param name="url">https://github.com/fontforge/fontforge.git</param>
+    <param name="revision">master</param>
+    <param name="versionformat">@PARENT_TAG@+git@TAG_OFFSET@.%h</param>
+    <param name="changesgenerate">enable</param>
+  </service>
+  <service name="tar" mode="buildtime"/>
+  <service name="recompress" mode="buildtime">
+    <param name="file">*.tar</param>
+    <param name="compression">zst</param>
+  </service>
+  <service name="set_version" mode="manual" />
+</services>
+

_servicedata

@@ -0,0 +1,4 @@
+<servicedata>
+<service name="tar_scm">
+                <param name="url">https://github.com/fontforge/fontforge.git</param>
+              <param name="changesrevision">770356c9b52c003939a36ed3df711b08805efb3c</param></service></servicedata>

fontforge-20230101+git59.770356c9b.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:215082d941d21a78503cb5beaadd25e543270b6429f96bc69c9cd2a16e8af0ad
+size 51817486

fontforge-CVE-2024-25081-CVE-2024-25082.patch

@@ -1,172 +0,0 @@
-commit 216eb14b558df344b206bf82e2bdaf03a1f2f429 (HEAD -> 216eb14b558df344b206bf82e2bdaf03a1f2f429_CVE-2024-25081_CVE-2024-25082)
-Author: Peter Kydas <pk@canva.com>
-Date:   Tue Feb 6 20:03:04 2024 +1100
-
-    fix splinefont shell command injection (#5367)
-
-diff -Nura fontforge-20230101/fontforge/splinefont.c fontforge-20230101_new/fontforge/splinefont.c
---- fontforge-20230101/fontforge/splinefont.c	2023-01-01 13:25:21.000000000 +0800
-+++ fontforge-20230101_new/fontforge/splinefont.c	2024-03-04 21:23:26.813893591 +0800
-@@ -788,11 +788,14 @@
- 
- char *Unarchive(char *name, char **_archivedir) {
-     char *dir = getenv("TMPDIR");
--    char *pt, *archivedir, *listfile, *listcommand, *unarchivecmd, *desiredfile;
-+    char *pt, *archivedir, *listfile, *desiredfile;
-     char *finalfile;
-     int i;
-     int doall=false;
-     static int cnt=0;
-+    gchar *command[5];
-+    gchar *stdoutresponse = NULL;
-+    gchar *stderrresponse = NULL;
- 
-     *_archivedir = NULL;
- 
-@@ -827,18 +830,30 @@
-     listfile = malloc(strlen(archivedir)+strlen("/" TOC_NAME)+1);
-     sprintf( listfile, "%s/" TOC_NAME, archivedir );
- 
--    listcommand = malloc( strlen(archivers[i].unarchive) + 1 +
--			strlen( archivers[i].listargs) + 1 +
--			strlen( name ) + 3 +
--			strlen( listfile ) +4 );
--    sprintf( listcommand, "%s %s %s > %s", archivers[i].unarchive,
--	    archivers[i].listargs, name, listfile );
--    if ( system(listcommand)!=0 ) {
--	free(listcommand); free(listfile);
--	ArchiveCleanup(archivedir);
--return( NULL );
-+    command[0] = archivers[i].unarchive;
-+    command[1] = archivers[i].listargs;
-+    command[2] = name;
-+    command[3] = NULL; // command args need to be NULL-terminated
-+
-+    if ( g_spawn_sync(
-+                      NULL,
-+                      command,
-+                      NULL,
-+                      G_SPAWN_SEARCH_PATH,
-+                      NULL,
-+                      NULL,
-+                      &stdoutresponse,
-+                      &stderrresponse,
-+                      NULL,
-+                      NULL
-+                      ) == FALSE) { // did not successfully execute
-+      ArchiveCleanup(archivedir);
-+      return( NULL );
-     }
--    free(listcommand);
-+    // Write out the listfile to be read in later
-+    FILE *fp = fopen(listfile, "wb");
-+    fwrite(stdoutresponse, strlen(stdoutresponse), 1, fp);
-+    fclose(fp);
- 
-     desiredfile = ArchiveParseTOC(listfile, archivers[i].ars, &doall);
-     free(listfile);
-@@ -847,22 +862,28 @@
- return( NULL );
-     }
- 
--    /* I tried sending everything to stdout, but that doesn't work if the */
--    /*  output is a directory file (ufo, sfdir) */
--    unarchivecmd = malloc( strlen(archivers[i].unarchive) + 1 +
--			strlen( archivers[i].listargs) + 1 +
--			strlen( name ) + 1 +
--			strlen( desiredfile ) + 3 +
--			strlen( archivedir ) + 30 );
--    sprintf( unarchivecmd, "( cd %s ; %s %s %s %s ) > /dev/null", archivedir,
--	    archivers[i].unarchive,
--	    archivers[i].extractargs, name, doall ? "" : desiredfile );
--    if ( system(unarchivecmd)!=0 ) {
--	free(unarchivecmd); free(desiredfile);
--	ArchiveCleanup(archivedir);
--return( NULL );
-+    command[0] = archivers[i].unarchive;
-+    command[1] = archivers[i].extractargs;
-+    command[2] = name;
-+    command[3] = doall ? "" : desiredfile;
-+    command[4] = NULL;
-+
-+    if ( g_spawn_sync(
-+                      (gchar*)archivedir,
-+                      command,
-+                      NULL,
-+                      G_SPAWN_SEARCH_PATH,
-+                      NULL,
-+                      NULL,
-+                      &stdoutresponse,
-+                      &stderrresponse,
-+                      NULL,
-+                      NULL
-+                      ) == FALSE) { // did not successfully execute
-+      free(desiredfile);
-+      ArchiveCleanup(archivedir);
-+      return( NULL );
-     }
--    free(unarchivecmd);
- 
-     finalfile = malloc( strlen(archivedir) + 1 + strlen(desiredfile) + 1);
-     sprintf( finalfile, "%s/%s", archivedir, desiredfile );
-@@ -885,8 +906,12 @@
- 
- char *Decompress(char *name, int compression) {
-     char *dir = getenv("TMPDIR");
--    char buf[1500];
-     char *tmpfn;
-+    gchar *command[4];
-+    gint stdout_pipe;
-+    gchar buffer[4096];
-+    gssize bytes_read;
-+    GByteArray *binary_data = g_byte_array_new();
- 
-     if ( dir==NULL ) dir = P_tmpdir;
-     tmpfn = malloc(strlen(dir)+strlen(GFileNameTail(name))+2);
-@@ -894,11 +919,41 @@
-     strcat(tmpfn,"/");
-     strcat(tmpfn,GFileNameTail(name));
-     *strrchr(tmpfn,'.') = '\0';
--    snprintf( buf, sizeof(buf), "%s < %s > %s", compressors[compression].decomp, name, tmpfn );
--    if ( system(buf)==0 )
--return( tmpfn );
--    free(tmpfn);
--return( NULL );
-+
-+    command[0] = compressors[compression].decomp;
-+    command[1] = "-c";
-+    command[2] = name;
-+    command[3] = NULL;
-+
-+    // Have to use async because g_spawn_sync doesn't handle nul-bytes in the output (which happens with binary data)
-+    if (g_spawn_async_with_pipes(
-+      NULL,
-+      command,
-+      NULL,
-+      G_SPAWN_DO_NOT_REAP_CHILD | G_SPAWN_SEARCH_PATH,
-+      NULL,
-+      NULL,
-+      NULL,
-+      NULL,
-+      &stdout_pipe,
-+      NULL,
-+      NULL) == FALSE) {
-+      //command has failed
-+      return( NULL );
-+    }
-+
-+    // Read binary data from pipe and output to file
-+    while ((bytes_read = read(stdout_pipe, buffer, sizeof(buffer))) > 0) {
-+        g_byte_array_append(binary_data, (guint8 *)buffer, bytes_read);
-+    }
-+    close(stdout_pipe);
-+
-+    FILE *fp = fopen(tmpfn, "wb");
-+    fwrite(binary_data->data, sizeof(gchar), binary_data->len, fp);
-+    fclose(fp);
-+    g_byte_array_free(binary_data, TRUE);
-+
-+                return(tmpfn);
- }
- 
- static char *ForceFileToHaveName(FILE *file, char *exten) {

fontforge.changes

@@ -1,3 +1,81 @@
+-------------------------------------------------------------------
+Mon May 26 06:39:39 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
+
+- Update to version 20230101+git59.770356c9b:
+  * Add contour draw option to H.Metrics. (#5496)
+  * Fix memory corruption in SFUnicodeRanges() (#5537)
+  * Bump GitHub CI runner to Ubuntu 22 (#5551)
+  * Fix CI for Ubuntu 24 (#5531)
+  * Avoid crashes in Python scripts when objects are accessed in
+    invalid state (#5483)
+  * fix memleak in function utf7toutf8_copy (#5495)
+  * Modernize fixed pitch flag computation (#5506)
+  * Segfault fix and complete implementation of "Don't generate
+    FFTM tables" (#5509)
+  * Make SmallCaps() translate symbols, too.  Update
+    documentation accordingly. (#5517)
+  * Fix function PyFFFont_addSmallCaps. (#5519)
+  * Warning rollup (probably some hidden bugs!) from clang trunk
+    (#5492)
+  * Update mm.c (#5386)
+  * fix memleak in function DlgCreate8 (#5491)
+  * Fix Python font.appendSFNTName() function (#5494)
+  * Allow hyphen and special characters in Feature File glyph names
+    (#5358)
+  * Update CI runner to macOS 13 (#5482)
+  * add math device tables to Python API (#5348)
+  * Only install GUI-specific files if ENABLE_GUI is set (#5451)
+  * Fix resource leak in unParseTTInstrs (#5476)
+  * Use PyConfig API on Python 3.8 (#5404)
+  * Use sysconfig for Python module locations (#5423)
+  * More crowdin fix
+  * Python script shall trigger no asserts (#5410)
+  * crowdin: update to java 17 (#5447)
+  * try fix crowdin
+  * Fix generated feature file bugs (#5384)
+  * Defer crowdin update to the end of the pipeline (#5409)
+  * Fix export of supplementary plane characters in font name to
+    TTF (#5396)
+  * Don't attempt to copy anchors into NULL font (#5405)
+  * Treat FT_PIXEL_MODE_MONO as 2 grey levels (#5379)
+  * Compare vertical metrics check when generating TTC (#5372)
+  * Fix data corruption on SFD reading (#5380)
+  * doc: added missing sudo to installation instructions (#5300)
+  * Remove `psaltnames` for multi-code-point names (#5305)
+  * Support suplementary planes in SFD (emojis etc.) (#5364)
+  * Fix the lists of Windows language IDs (#5359)
+  * fix splinefont shell command injection (#5367)
+  * Bulk tester (#5365)
+  * add `font.style_set_names` attribute to Python API (#5354)
+  * Fix typos in the FAQ (#5355)
+  * Autoselect internal WOFF2 format (#5346)
+  * fix segfault triggered by Python `del c[i:j]` (#5352)
+  * add `font` attributes, method to Python docs (#5353)
+  * Always set `usDefaultChar` to 0 (.notdef) (#5242)
+  * Fix generateFontPostHook being called instead of
+    generateFontPreHook (#5226)
+  * nltransform of anchor points (#5345)
+  * Don't require individual tuple encapsulation in
+    fontforge.font.bitmapSizes setter (#5138)
+  * Fix CMake function _get_git_version() (#5342)
+  * Handle failed iconv conversion. Unhandled execution path was
+    UB, causing a segfault for me (#5329)
+  * Fix crash in parsegvar() due to insufficient buffer (#5339)
+  * Quiet strict prototypes warnings. (#5313)
+  * harmonizing can now no longer produce zero handles, the
+    computation of harmonization is now numerically robust (#5262)
+  * Fix glyph file names uXXXXX (#5333)
+  * Fix lookup flags parsing (#5338)
+  * Duplicate libfontforge.dll for "py" and "pyhook" tests. (#5335)
+  * Use consistent Python in MacOS GitHub runner (#5331)
+  * Update po files from Croudin sources after fixing problems
+  * Fix GinHub CI runners (#5328)
+  * Update local scripts directory (#5180)
+- Remove patches already included by upstream:
+  * fontforge-CVE-2024-25081-CVE-2024-25082.patch
+  * 642d8a3db6d4bc0e70b429622fdf01ecb09c4c10.patch
+  * use-sysconfig-not-distutils.patch
+
 -------------------------------------------------------------------
 Thu Nov 21 20:31:36 UTC 2024 - Dirk Müller <dmueller@suse.com>
 
@@ -107,6 +185,8 @@ Sun Mar 20 21:20:14 UTC 2022 - Dirk Müller <dmueller@suse.com>
   * UFO include path is altered, please update your fonts if needed
   * FontForge is now compiled with -Wall by default
   * Cidmaps are now bundled
+  * Move help to gutils, help to avoid not validate strings before launching issue.
+  (CVE-2017-17521, bsc#1073014)
 - drop fix-return-statement.patch. obsolete
 
 -------------------------------------------------------------------
@@ -720,7 +800,7 @@ Tue Apr 10 2001 - Scott Pakin <pakin@uiuc.edu>
 - Upgraded from 210301 to 020401.
 
 -------------------------------------------------------------------
-Thu Mar 22 2001 Scott Pakin <pakin@uiuc.edu>
+Thu Mar 22 2001 - Scott Pakin <pakin@uiuc.edu>
 
 - Initial release
 

fontforge.obsinfo

@@ -0,0 +1,4 @@
+name: fontforge
+version: 20230101+git59.770356c9b
+mtime: 1745220260
+commit: 770356c9b52c003939a36ed3df711b08805efb3c

fontforge.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package fontforge
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,21 +17,16 @@
 
 
 Name:           fontforge
-Version:        20230101
+Version:        20230101+git59.770356c9b
 Release:        0
 Summary:        A Font Editor
 License:        GPL-3.0-or-later
 URL:            https://fontforge.org/
-Source0:        https://github.com/fontforge/fontforge/archive/%{version}.tar.gz
+Source0:        fontforge-20230101+git59.770356c9b.tar.zst
 # workaround for bug 930076, imho upstream should fix this
 # https://github.com/fontforge/fontforge/issues/2270
 Patch0:         fontforge-version.patch
 Patch1:         add-bitmap-transform-support.patch
-# PATCH-FIX-UPSTREAM fontforge-CVE-2024-25081-CVE-2024-25082.patch CVE-2024-25081 CVE-2024-25082 bsc#1220404 bsc#1220405 qzhao@suse.com -- Fix Splinefont shell invocation.
-Patch2:         fontforge-CVE-2024-25081-CVE-2024-25082.patch
-Patch3:         https://github.com/fontforge/fontforge/commit/642d8a3db6d4bc0e70b429622fdf01ecb09c4c10.patch
-# PATCH-FIX-UPSTREAM: taken from https://github.com/fontforge/fontforge/commit/8c75293e924602ed09a9481b0eeb67ba6c623a81
-Patch4:         use-sysconfig-not-distutils.patch
 BuildRequires:  cairo-devel
 BuildRequires:  cmake
 BuildRequires:  fdupes
@@ -51,7 +46,7 @@ BuildRequires:  libxml2-devel
 BuildRequires:  pango-devel
 BuildRequires:  pkgconfig
 BuildRequires:  python3-Sphinx
-BuildRequires:  python3-devel
+BuildRequires:  python3-devel >= 3.8
 BuildRequires:  readline-devel
 BuildRequires:  update-desktop-files
 BuildRequires:  woff2-devel

use-sysconfig-not-distutils.patch

@@ -1,54 +0,0 @@
-From 8c75293e924602ed09a9481b0eeb67ba6c623a81 Mon Sep 17 00:00:00 2001
-From: Maxim Iorsh <iorsh@users.sourceforge.net>
-Date: Mon, 7 Oct 2024 11:44:00 +0300
-Subject: [PATCH] Use sysconfig for Python module locations (#5423)
-
-* Use sysconfig for Python module locations
-
-* [TEMP] Use iorsh/fontforgebuilds repo
-
-* [TEMP] Use iorsh/fontforgebuilds repo in Appveyor
-
-* Update
-
-* Revert "[TEMP] Use iorsh/fontforgebuilds repo in Appveyor"
-
-This reverts commit 6fa80455b8b1e7cf43419c73e4de714f7925d9f8.
-
-* test
-
-* Cleanup
-
-* test
-
-* Removed debug prints
-
----------
-
-Co-authored-by: Jeremy Tan <jtanx@outlook.com>
----
- .github/workflows/main.yml                    | 24 +++++++++----------
- .github/workflows/scripts/ffosxbuild.sh       |  7 ++++--
- .github/workflows/scripts/setup_linux_deps.sh |  2 +-
- CMakeLists.txt                                |  6 -----
- osx/CMakeLists.txt                            |  2 +-
- pyhook/CMakeLists.txt                         |  5 +++-
- 6 files changed, 23 insertions(+), 23 deletions(-)
-
-diff --git a/pyhook/CMakeLists.txt b/pyhook/CMakeLists.txt
-index dd48054aa7..53708f1099 100644
---- a/pyhook/CMakeLists.txt
-+++ b/pyhook/CMakeLists.txt
-@@ -20,8 +20,11 @@ target_link_libraries(psMat_pyhook PRIVATE Python3::Module)
- # FindPython3 provides Python3_SITEARCH, but this is an absolute path
- # So do it ourselves, getting the prefix-relative path instead
- if(NOT DEFINED PYHOOK_INSTALL_DIR)
-+  if(APPLE)
-+    set(_PYHOOK_SYSCONFIG_PREFIX " 'posix_prefix',")
-+  endif()
-   execute_process(
--    COMMAND "${Python3_EXECUTABLE}" -c "import distutils.sysconfig as sc; print(sc.get_python_lib(prefix='', plat_specific=True,standard_lib=False))"
-+    COMMAND "${Python3_EXECUTABLE}" -c "import sysconfig as sc; print(sc.get_path('platlib',${_PYHOOK_SYSCONFIG_PREFIX} vars={'platbase': '.'}))"
-     RESULT_VARIABLE _pyhook_install_dir_result
-     OUTPUT_VARIABLE PYHOOK_INSTALL_DIR
-     OUTPUT_STRIP_TRAILING_WHITESPACE)