CVE-2024-25082 Affecting fontforge package, versions <0:20201107-6.el9
Threat Intelligence
EPSS
0.05% (17th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ALMALINUX9-FONTFORGE-8383852
- published 18 Nov 2024
- disclosed 12 Nov 2024
How to fix?
Upgrade AlmaLinux:9 fontforge to version 0:20201107-6.el9 or higher.
This issue was patched in ALSA-2024:9439.
NVD Description
Note: Versions mentioned in the description apply only to the upstream fontforge package and not the fontforge package as distributed by AlmaLinux.
See How to fix? for AlmaLinux:9 relevant fixed versions and status.
Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files.
References
- https://errata.almalinux.org/8/ALSA-2024-4267.html
- https://errata.almalinux.org/9/ALSA-2024-9439.html
- https://access.redhat.com/security/cve/CVE-2024-25082
- https://access.redhat.com/errata/RHSA-2024:4267
- https://access.redhat.com/errata/RHSA-2024:9439
- https://fontforge.org/en-US/downloads/
- https://github.com/fontforge/fontforge/pull/5367
- https://lists.debian.org/debian-lts-announce/2024/03/msg00007.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GCH22HIO2C6M4BZWF5EYIWVFBXL5BQAH/
- http://www.openwall.com/lists/oss-security/2024/03/08/2
CVSS Scores
version 3.1