mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
fontforge: patch CVE-2025-15269
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15269 Pick the patch that refers to this vulnerability ID explicitly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit is contained in:
@@ -0,0 +1,36 @@
|
|||||||
|
From 6a23476bc5eea880f3f24496710a6133c92a198b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
Date: Sat, 10 Jan 2026 20:06:53 +0100
|
||||||
|
Subject: [PATCH] Fix CVE-2025-15269: Use-after-free in SFD ligature parsing
|
||||||
|
(#5722)
|
||||||
|
|
||||||
|
From: Ahmet Furkan Kavraz <55850855+ahmetfurkankavraz@users.noreply.github.com>
|
||||||
|
|
||||||
|
Prevent circular linked list in LigaCreateFromOldStyleMultiple by clearing
|
||||||
|
the next pointer after shallow copy. The shallow copy propagates liga's
|
||||||
|
modified next pointer from previous iterations, creating a cycle that
|
||||||
|
causes double-free when the list is traversed and freed.
|
||||||
|
|
||||||
|
Fixes: CVE-2025-15269 | ZDI-25-1195 | ZDI-CAN-28564
|
||||||
|
|
||||||
|
Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
|
||||||
|
|
||||||
|
CVE: CVE-2025-15269
|
||||||
|
Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/6aea6db5da332d8ac94e3501bb83c1b21f52074d]
|
||||||
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
---
|
||||||
|
fontforge/sfd.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/fontforge/sfd.c b/fontforge/sfd.c
|
||||||
|
index e19d3a30f..be4220515 100644
|
||||||
|
--- a/fontforge/sfd.c
|
||||||
|
+++ b/fontforge/sfd.c
|
||||||
|
@@ -4647,6 +4647,7 @@ static PST1 *LigaCreateFromOldStyleMultiple(PST1 *liga) {
|
||||||
|
while ( (pt = strrchr(liga->pst.u.lig.components,';'))!=NULL ) {
|
||||||
|
new = chunkalloc(sizeof( PST1 ));
|
||||||
|
*new = *liga;
|
||||||
|
+ new->pst.next = NULL;
|
||||||
|
new->pst.u.lig.components = copy(pt+1);
|
||||||
|
last->pst.next = (PST *) new;
|
||||||
|
last = new;
|
||||||
@@ -21,6 +21,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https;tag=$
|
|||||||
file://CVE-2025-15279-1.patch \
|
file://CVE-2025-15279-1.patch \
|
||||||
file://CVE-2025-15279-2.patch \
|
file://CVE-2025-15279-2.patch \
|
||||||
file://CVE-2025-15275.patch \
|
file://CVE-2025-15275.patch \
|
||||||
|
file://CVE-2025-15269.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"
|
EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"
|
||||||
|
|||||||
Reference in New Issue
Block a user