Control: tags 1064967 + patch
Control: tags 1064967 + pending

Dear maintainer,

I've prepared an NMU for fontforge (versioned as 1:20230101~dfsg-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it.

@Security team:
If wanted, I could afterwards also prepare (pu or DSA) updates for
bookworm and bullseye.

cu
Adrian

diff -Nru fontforge-20230101~dfsg/debian/changelog fontforge-20230101~dfsg/debian/changelog
--- fontforge-20230101~dfsg/debian/changelog 2023-01-18 20:05:41.000000000 +0200
+++ fontforge-20230101~dfsg/debian/changelog 2024-03-08 01:15:58.000000000 +0200
@@ -1,3 +1,13 @@
+fontforge (1:20230101~dfsg-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * CVE-2024-25081: Spline Font command injection via crafted filenames
+ * CVE-2024-25082: Spline Font command injection via crafted archives
+ or compressed files
+ * Closes: #1064967
+
+ -- Adrian Bunk <bunk@debian.org> Fri, 08 Mar 2024 01:15:58 +0200
+
fontforge (1:20230101~dfsg-1) unstable; urgency=medium

* New upstream version 20230101~dfsg
diff -Nru fontforge-20230101~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch fontforge-20230101~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch
--- fontforge-20230101~dfsg/debian/patches/0001-fix-splinefont-shell-command-injection-5367.patch 1970-01-01 02:00:00.000000000 +0200
+++ fontforge-20230101~dfsg/debian/patches/0001-

Hi Adrian,

On Fri, Mar 08, 2024 at 02:03:55AM +0200, Adrian Bunk wrote:

Control: tags 1064967 + patch
Control: tags 1064967 + pending

Dear maintainer,

I've prepared an NMU for fontforge (versioned as 1:20230101~dfsg-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it.

@Security team:
If wanted, I could afterwards also prepare (pu or DSA) updates for
bookworm and bullseye.

We came to the conclusion that it warrants a DSA. Could you prepare
debdiffs for bookworm-security and bulseye-security?

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Adrian,

On Sat, Mar 16, 2024 at 12:12:01AM +0200, Adrian Bunk wrote:

On Wed, Mar 13, 2024 at 08:39:47PM +0100, Salvatore Bonaccorso wrote:

Hi Adrian,

Hi Salvatore,

On Fri, Mar 08, 2024 at 02:03:55AM +0200, Adrian Bunk wrote:

Control: tags 1064967 + patch
Control: tags 1064967 + pending

Dear maintainer,

I've prepared an NMU for fontforge (versioned as 1:20230101~dfsg-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it.

@Security team:
If wanted, I could afterwards also prepare (pu or DSA) updates for bookworm and bullseye.

We came to the conclusion that it warrants a DSA. Could you prepare debdiffs for bookworm-security and bulseye-security?

the debdiffs are attached.

Tested on both releases with the PoCs from [1] and that opening a normal compressed font still works.

Thanks for the debdiffs and providing as well the done testing
background.

Please do upload to security-master (both will need to be built with
-sa).

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Adrian,

On Sat, Mar 16, 2024 at 12:12:01AM +0200, Adrian Bunk wrote:

On Wed, Mar 13, 2024 at 08:39:47PM +0100, Salvatore Bonaccorso wrote:

Hi Adrian,

Hi Salvatore,

On Fri, Mar 08, 2024 at 02:03:55AM +0200, Adrian Bunk wrote:

Control: tags 1064967 + patch
Control: tags 1064967 + pending

Dear maintainer,

I've prepared an NMU for fontforge (versioned as 1:20230101~dfsg-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it.

@Security team:
If wanted, I could afterwards also prepare (pu or DSA) updates for bookworm and bullseye.

We came to the conclusion that it warrants a DSA. Could you prepare debdiffs for bookworm-security and bulseye-security?

the debdiffs are attached.

Tested on both releases with the PoCs from [1] and that opening a normal compressed font still works.

DSA for your work released.

Thanks for your contribution!

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)