Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2024-25082

Published: 26/02/2024 Updated: 01/05/2024

Vulnerability Summary

Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files.

Vulnerability Trend

Vendor Advisories

Debian CVElist Bug Report Logs: fontforge: CVE-2024-25081 CVE-2024-25082
Debian Bug report logs - #1064967 fontforge: CVE-2024-25081 CVE-2024-25082 Package: src:fontforge; Maintainer for src:fontforge is Debian Fonts Task Force <debian-fonts@listsdebianorg>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Wed, 28 Feb 2024 14:48:02 UTC Severity: grave Tags: security Reply or ...
Amazon Linux 2: ALAS-2024-2495
Splinefont in FontForge through 20230101 allows command injection via crafted filenames (CVE-2024-25081) Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files (CVE-2024-25082) ...
Red Hat:
Description<!---->This CVE is under investigation by Red Hat Product Security ...

Mailing Lists

Full Disclosure: Vulnerabilties in FontTools & FontForge
wwwcanvadev/blog/engineering/fonts-are-still-a-helvetica-of-a-problem/ is a detailed blog about vulnerabilities in some open source font handling software It discusses three new vulnerabilities in particular: - CVE-2023-45139 in FontTools versions &gt;=4282, &lt;4430, fixed in 4430 FontTools uses lxml to process SVG tables in ...

Recent Articles

Font security 'still a Helvetica of a problem' says Australian graphics outfit Canva
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Who knew that unzipping a font archive could unleash a malicious file

Online graphic design platform Canva went looking for security problems in fonts, and found three – in "strange places." On its engineering blog, the Australian outfit explained it's "continuously looking for ways to uplift the security of [its] processes, software, supply chain, and tools," leading it to the "less explored attack surfaces, such as fonts that present a complex and prevalent part of graphics processing." That effort yielded three type-related vulns. CVE-2023-45139 is a high-sev...

Read more...

References

https://fontforge.org/en-US/downloads/https://github.com/fontforge/fontforge/pull/5367https://lists.debian.org/debian-lts-announce/2024/03/msg00007.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GCH22HIO2C6M4BZWF5EYIWVFBXL5BQAH/http://www.openwall.com/lists/oss-security/2024/03/08/2https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064967https://nvd.nist.govhttps://alas.aws.amazon.com/AL2/ALAS-2024-2495.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-5248CVE-2024-3110CVE-2024-5552CVE-2024-29415HTML injectionCVE-2024-3095TCPtype confusionCVE-2024-1800
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook