fontforge: patch CVE-2025-15270

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15270 Pick the patch that mentions this vulnerbaility explicitly in its description. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2026-04-02 02:49:12 +00:00 · 2026-02-02 14:50:44 +01:00 · 2026-02-02 14:50:44 +01:00 · 713739da29
commit 713739da29
parent dd81ffdb68
2 changed files with 46 additions and 0 deletions
--- a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch
+++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2025-15270.patch
@ -0,0 +1,45 @@
+From 99067ccd695619686646905e637993f0654abb41 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sat, 31 Jan 2026 21:23:41 +0100
+Subject: [PATCH] Fix CVE-2025-15270: Heap buffer overflow in SFD kern class
+ parsing (#5743)
+
+From: Ahmet Furkan Kavraz <55850855+ahmetfurkankavraz@users.noreply.github.com>
+
+Fixes: CVE-2025-15270 | ZDI-25-1194 | ZDI-CAN-28563
+
+Co-authored-by: Ahmet Furkan Kavraz <kavraz@amazon.com>
+
+CVE: CVE-2025-15270
+Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/d01333a5bfa2ac4ed698c24b323d02107deacad7]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ fontforge/sfd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index be4220515..d550f02fb 100644
+--- a/fontforge/sfd.c
+++ b/fontforge/sfd.c
+@@ -8147,6 +8147,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
+ 	for ( i=classstart; i<kc->first_cnt; ++i ) {
+ 	  if (kernclassversion < 3) {
+ 	    getint(sfd,&temp);
+	    if (temp < 0) {
+	      LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
+	      return false;
+	    }
+ 	    kc->firsts[i] = malloc(temp+1); kc->firsts[i][temp] = '\0';
+ 	    nlgetc(sfd);	/* skip space */
+ 	    fread(kc->firsts[i],1,temp,sfd);
+@@ -8164,6 +8168,10 @@ bool SFD_GetFontMetaData( FILE *sfd,
+ 	for ( i=1; i<kc->second_cnt; ++i ) {
+ 	  if (kernclassversion < 3) {
+ 	    getint(sfd,&temp);
+	    if (temp < 0) {
+	      LogError(_("Corrupted SFD file: Invalid kern class name length %d. Aborting load."), temp);
+	      return false;
+	    }
+ 	    kc->seconds[i] = malloc(temp+1); kc->seconds[i][temp] = '\0';
+ 	    nlgetc(sfd);	/* skip space */
+ 	    fread(kc->seconds[i],1,temp,sfd);
--- a/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb
+++ b/meta-oe/recipes-graphics/fontforge/fontforge_20251009.bb
@ -22,6 +22,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https;tag=$
           file://CVE-2025-15279-2.patch \
           file://CVE-2025-15275.patch \
           file://CVE-2025-15269.patch \
+           file://CVE-2025-15270.patch \
           "

 EXTRA_OECMAKE = "-DENABLE_DOCS=OFF"