Bug 13492

Summary: [CVE 21] fontforge 1.0 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED WONTFIX QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: e.kosachev, s.matveev, y.tumanov
Version: AllFlags: y.tumanov: secteam_verified+
Target Milestone: 2021.1 Fresh R12   
Hardware: All   
OS: Linux   
URL: CVE-2020-25690,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-08-23 23:44:44 MSK 
Please patch CVEs for package fontforge version 1.0
  
INFO (CVEs are): fontforge 1.0
 cves found
CVE-2020-25690
Desc: An out-of-bounds write flaw was found in FontForge in versions before 20200314 while parsing SFD files containing certain LayerCount tokens. This flaw allows an attacker to manipulate the memory allocated on the heap, causing the application to crash or execute arbitrary code. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-25690
Severity: HIGH
Comment 1 Svyatoslav Matveev 2023-08-27 14:22:19 MSK 
Исправлено в этой версии.
Comment 2 Yury 2023-10-18 17:14:13 MSK 
secteam_verified