PT-2021-11169 · Fontforge+5 · Fontforge+5

Published

2020-03-22

Updated

2021-04-07

CVE-2020-25690

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: FontForge versions prior to 20200314

Description: An out-of-bounds write flaw was found in FontForge while parsing SFD files containing certain LayerCount tokens. This flaw allows an attacker to manipulate the memory allocated on the heap, causing the application to crash or execute arbitrary code. The highest threat from this issue is to confidentiality, integrity, as well as system availability.

Recommendations: For versions prior to 20200314, update to a version 20200314 or later to resolve the issue. As a temporary workaround, consider restricting the parsing of SFD files or disabling the functionality that handles LayerCount tokens until a patch is available.

Fix

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-119

Related Identifiers

ALSA-2020:4844

ALT-PU-2020-1542

CESA-2020_4844

CVE-2020-25690

MGASA-2020-0405

OESA-2021-1104

OPENSUSE-SU-2020:2111-1

OPENSUSE-SU-2020_2111-1

RHSA-2020:4844

RHSA-2020_4844

SUSE-SU-2020:3628-1

SUSE-SU-2020_3628-1

Affected Products

Alt Linux

Almalinux

Centos

Fontforge

Red Hat

Suse

PT-2021-11169 · Fontforge+5 · Fontforge+5

CVE-2020-25690

Weakness Enumeration

Related Identifiers

Affected Products

References · 24