mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-13 17:39:57 +00:00
Code Issues Projects Releases Wiki Activity

fontforge: patch CVE-2025-15279

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15279

Pick the patch that mentions this vulnerability ID explicitly.
Also, this patch has caused some regression - pick the patch also
that fixed that regression.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Gyorgy Sarvari
2026-02-26 15:46:24 +01:00
parent 4e091b47f7
commit 0dada584c8
3 changed files with 77 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-1.patch
+41
View File
@@ -0,0 +1,41 @@
From a64a45ef6930128226d0d8fdaa4b41847ac507a9 Mon Sep 17 00:00:00 2001
From: Ahmet Furkan Kavraz
<55850855+ahmetfurkankavraz@users.noreply.github.com>
Date: Thu, 8 Jan 2026 15:47:43 +0100
Subject: [PATCH] Fix CVE-2025-15279: Heap buffer overflow in BMP RLE
decompression (#5720)
CVSS: 7.8 (High)
ZDI-CAN-27517
Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
CVE: CVE-2025-15279
Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/7d67700cf8888e0bb37b453ad54ed932c8587073]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
gutils/gimagereadbmp.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c
index e56477fc8..3ec5abbff 100644
--- a/gutils/gimagereadbmp.c
+++ b/gutils/gimagereadbmp.c
@@ -181,12 +181,18 @@ static int readpixels(FILE *file,struct bmpheader *head) {
int ii = 0;
while ( ii<head->height*head->width ) {
int cnt = getc(file);
+ if (cnt < 0 || ii + cnt > head->height * head->width) {
+ return 0;
+ }
if ( cnt!=0 ) {
int ch = getc(file);
while ( --cnt>=0 )
head->byte_pixels[ii++] = ch;
} else {
cnt = getc(file);
+ if (cnt < 0 || ii + cnt > head->height * head->width) {
+ return 0;
+ }
if ( cnt>= 3 ) {
int odd = cnt&1;
while ( --cnt>=0 )
meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15279-2.patch
+34
View File
@@ -0,0 +1,34 @@
From 3ea803a0205aa1d9134a0440ccd55546e3aec019 Mon Sep 17 00:00:00 2001
From: Ahmet Furkan Kavraz
<55850855+ahmetfurkankavraz@users.noreply.github.com>
Date: Mon, 12 Jan 2026 22:45:16 +0100
Subject: [PATCH] Fix CVE-2025-15279: Move bounds check inside cnt >= 3 block
(#5723)
Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
CVE: CVE-2025-15279
Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/720ea95020c964202928afd2e93b0f5fac11027e]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
gutils/gimagereadbmp.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c
index 3ec5abbff..4bf255ee1 100644
--- a/gutils/gimagereadbmp.c
+++ b/gutils/gimagereadbmp.c
@@ -190,10 +190,10 @@ static int readpixels(FILE *file,struct bmpheader *head) {
head->byte_pixels[ii++] = ch;
} else {
cnt = getc(file);
- if (cnt < 0 || ii + cnt > head->height * head->width) {
- return 0;
- }
if ( cnt>= 3 ) {
+ if (ii + cnt > head->height * head->width) {
+ return 0;
+ }
int odd = cnt&1;
while ( --cnt>=0 )
head->byte_pixels[ii++] = getc(file);
meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb
+2
View File
@@ -23,6 +23,8 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \
file://CVE-2025-15269.patch \ file://CVE-2025-15269.patch \
file://CVE-2025-15270.patch \ file://CVE-2025-15270.patch \
file://CVE-2025-15275.patch \ file://CVE-2025-15275.patch \
file://CVE-2025-15279-1.patch \
file://CVE-2025-15279-2.patch \
" "
S = "${WORKDIR}/git" S = "${WORKDIR}/git"