Security update for fontforge SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:2236-1 Final 1 1 2019-08-28T06:00:09Z current 2019-08-28T06:00:09Z 2019-08-28T06:00:09Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for fontforge This update for fontforge fixes the following security issues: fontforge was updated to 20170731, fixings lots of bugs and security issues. - CVE-2017-11568: Heap-based buffer over-read in PSCharStringToSplines (bsc#1050161) - CVE-2017-11569: Heap-based buffer over-read in readttfcopyrights (bsc#1050181) - CVE-2017-11571: Stack-based buffer overflow in addnibble (bsc#1050185) - CVE-2017-11572: Heap-based buffer over-read in readcfftopdicts (bsc#1050187) - CVE-2017-11573: Over-read in ValidatePostScriptFontName (bsc#1050193) - CVE-2017-11574: Heap-based buffer overflow in readcffset (bsc#1050194) - CVE-2017-11575: Buffer over-read in strnmatch (bsc#1050195) - CVE-2017-11576: Ensure a positive size in a weight vector memcpycall in readcfftopdict (bsc#1050196) - CVE-2017-11577: Buffer over-read in getsid (bsc#1050200) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-2236,SUSE-SLE-SDK-12-SP4-2019-2236 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20192236-1/ Link for SUSE-SU-2019:2236-1 https://lists.suse.com/pipermail/sle-security-updates/2019-August/005852.html E-Mail link for SUSE-SU-2019:2236-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1050161 SUSE Bug 1050161 https://bugzilla.suse.com/1050181 SUSE Bug 1050181 https://bugzilla.suse.com/1050185 SUSE Bug 1050185 https://bugzilla.suse.com/1050187 SUSE Bug 1050187 https://bugzilla.suse.com/1050193 SUSE Bug 1050193 https://bugzilla.suse.com/1050194 SUSE Bug 1050194 https://bugzilla.suse.com/1050195 SUSE Bug 1050195 https://bugzilla.suse.com/1050196 SUSE Bug 1050196 https://bugzilla.suse.com/1050200 SUSE Bug 1050200 https://www.suse.com/security/cve/CVE-2017-11568/ SUSE CVE CVE-2017-11568 page https://www.suse.com/security/cve/CVE-2017-11569/ SUSE CVE CVE-2017-11569 page https://www.suse.com/security/cve/CVE-2017-11571/ SUSE CVE CVE-2017-11571 page https://www.suse.com/security/cve/CVE-2017-11572/ SUSE CVE CVE-2017-11572 page https://www.suse.com/security/cve/CVE-2017-11573/ SUSE CVE CVE-2017-11573 page https://www.suse.com/security/cve/CVE-2017-11574/ SUSE CVE CVE-2017-11574 page https://www.suse.com/security/cve/CVE-2017-11575/ SUSE CVE CVE-2017-11575 page https://www.suse.com/security/cve/CVE-2017-11576/ SUSE CVE CVE-2017-11576 page https://www.suse.com/security/cve/CVE-2017-11577/ SUSE CVE CVE-2017-11577 page SUSE Linux Enterprise Software Development Kit 12 SP4 fontforge-20170731-11.8.1 fontforge-devel-20170731-11.8.1 fontforge-doc-20170731-11.8.1 fontforge-20170731-11.8.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP4 FontForge 20161012 is vulnerable to a heap-based buffer over-read in PSCharStringToSplines (psread.c) resulting in DoS or code execution via a crafted otf file. CVE-2017-11568 SUSE Linux Enterprise Software Development Kit 12 SP4:fontforge-20170731-11.8.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192236-1/ https://www.suse.com/security/cve/CVE-2017-11568.html CVE-2017-11568 https://bugzilla.suse.com/1050161 SUSE Bug 1050161 FontForge 20161012 is vulnerable to a heap-based buffer over-read in readttfcopyrights (parsettf.c) resulting in DoS or code execution via a crafted otf file. CVE-2017-11569 SUSE Linux Enterprise Software Development Kit 12 SP4:fontforge-20170731-11.8.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192236-1/ https://www.suse.com/security/cve/CVE-2017-11569.html CVE-2017-11569 https://bugzilla.suse.com/1050181 SUSE Bug 1050181 FontForge 20161012 is vulnerable to a stack-based buffer overflow in addnibble (parsettf.c) resulting in DoS or code execution via a crafted otf file. CVE-2017-11571 SUSE Linux Enterprise Software Development Kit 12 SP4:fontforge-20170731-11.8.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192236-1/ https://www.suse.com/security/cve/CVE-2017-11571.html CVE-2017-11571 https://bugzilla.suse.com/1050185 SUSE Bug 1050185 FontForge 20161012 is vulnerable to a heap-based buffer over-read in readcfftopdicts (parsettf.c) resulting in DoS or code execution via a crafted otf file. CVE-2017-11572 SUSE Linux Enterprise Software Development Kit 12 SP4:fontforge-20170731-11.8.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192236-1/ https://www.suse.com/security/cve/CVE-2017-11572.html CVE-2017-11572 https://bugzilla.suse.com/1050187 SUSE Bug 1050187 FontForge 20161012 is vulnerable to a buffer over-read in ValidatePostScriptFontName (parsettf.c) resulting in DoS or code execution via a crafted otf file. CVE-2017-11573 SUSE Linux Enterprise Software Development Kit 12 SP4:fontforge-20170731-11.8.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192236-1/ https://www.suse.com/security/cve/CVE-2017-11573.html CVE-2017-11573 https://bugzilla.suse.com/1050193 SUSE Bug 1050193 FontForge 20161012 is vulnerable to a heap-based buffer overflow in readcffset (parsettf.c) resulting in DoS or code execution via a crafted otf file. CVE-2017-11574 SUSE Linux Enterprise Software Development Kit 12 SP4:fontforge-20170731-11.8.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192236-1/ https://www.suse.com/security/cve/CVE-2017-11574.html CVE-2017-11574 https://bugzilla.suse.com/1050194 SUSE Bug 1050194 FontForge 20161012 is vulnerable to a buffer over-read in strnmatch (char.c) resulting in DoS or code execution via a crafted otf file, related to a call from the readttfcopyrights function in parsettf.c. CVE-2017-11575 SUSE Linux Enterprise Software Development Kit 12 SP4:fontforge-20170731-11.8.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192236-1/ https://www.suse.com/security/cve/CVE-2017-11575.html CVE-2017-11575 https://bugzilla.suse.com/1050195 SUSE Bug 1050195 FontForge 20161012 does not ensure a positive size in a weight vector memcpy call in readcfftopdict (parsettf.c) resulting in DoS via a crafted otf file. CVE-2017-11576 SUSE Linux Enterprise Software Development Kit 12 SP4:fontforge-20170731-11.8.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192236-1/ https://www.suse.com/security/cve/CVE-2017-11576.html CVE-2017-11576 https://bugzilla.suse.com/1050196 SUSE Bug 1050196 FontForge 20161012 is vulnerable to a buffer over-read in getsid (parsettf.c) resulting in DoS or code execution via a crafted otf file. CVE-2017-11577 SUSE Linux Enterprise Software Development Kit 12 SP4:fontforge-20170731-11.8.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192236-1/ https://www.suse.com/security/cve/CVE-2017-11577.html CVE-2017-11577 https://bugzilla.suse.com/1050200 SUSE Bug 1050200