fontforge-20201107-7.el9_7
エラータID: AXSA:2026-156:01
リリース日:
2026/02/09 Monday - 19:27
題名:
fontforge-20201107-7.el9_7
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- FontForge には、メモリ領域の解放後利用の問題があるため、
リモートの攻撃者により、任意のコードの実行を可能とする脆弱性が
存在します。(CVE-2025-15269)
- FontForge には、ヒープベースのバッファオーバーフローの問題が
あるため、リモートの攻撃者により、任意のコードの実行を可能とする
脆弱性が存在します。(CVE-2025-15275)
- FontForge には、ヒープベースのバッファオーバーフローの問題が
あるため、ローカルの攻撃者により、任意のコードの実行を可能とする
脆弱性が存在します。(CVE-2025-15279)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-15269
FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28564.
FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28564.
CVE-2025-15275
FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28543.
FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28543.
CVE-2025-15279
FontForge GUtils BMP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of pixels within BMP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27517.
FontForge GUtils BMP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of pixels within BMP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27517.
追加情報:
N/A
ダウンロード:
SRPMS
- fontforge-20201107-7.el9_7.src.rpm
MD5: faf807aa646a335daa5697cd9a98871e
SHA-256: 14e9c46172aaa1c956a9d07c5996d9bf685f3482910cbde30ab7b4baf37d1ba2
Size: 18.15 MB
Asianux Server 9 for x86_64
- fontforge-20201107-7.el9_7.i686.rpm
MD5: 8b2ccc40133770e649c8d7651bcbf2cd
SHA-256: 51450d79a823390f25fa8a0ef5ba70532c7a54f6831ef60585de76e513fe4ff4
Size: 6.01 MB - fontforge-20201107-7.el9_7.x86_64.rpm
MD5: 9b2c452ef3f7df7163089cb14890e1af
SHA-256: b6759e89d6836fc80c84a99fec057b6c338efbd581828cb37528665c6cb8ed2f
Size: 5.86 MB
English