February 2020 - fonts-bugs - Fedora Mailing-Lists

[Bug 1737785] New: CVE-2019-1010238 pango: heap based buffer overflow can be used to get code execution

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1737785 Bug ID: 1737785 Summary: CVE-2019-1010238 pango: heap based buffer overflow can be used to get code execution Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: mrehak(a)redhat.com CC: caillon+fedoraproject(a)gmail.com, eng-i18n-bugs(a)redhat.com, fonts-bugs(a)lists.fedoraproject.org, gnome-sig(a)lists.fedoraproject.org, i18n-bugs(a)lists.fedoraproject.org, john.j5live(a)gmail.com, mclasen(a)redhat.com, pwu(a)redhat.com, rhughes(a)redhat.com, rstrode(a)redhat.com, sandmann(a)redhat.com, tagoh(a)redhat.com Target Milestone: --- Classification: Other Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize. External References: https://packetstormsecurity.com/files/153838/USN-4081-1.txt -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 12 months

1
32
0 / 0

[Bug 1788493] New: CVE-2020-5496 fontforge: heap-based buffer overflow in the Type2NotDefSplines() function in splinesave.c

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1788493 Bug ID: 1788493 Summary: CVE-2020-5496 fontforge: heap-based buffer overflow in the Type2NotDefSplines() function in splinesave.c Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: mrehak(a)redhat.com CC: eng-i18n-bugs(a)redhat.com, fonts-bugs(a)lists.fedoraproject.org, kevin(a)scrye.com, paul(a)frixxon.co.uk, pnemade(a)redhat.com Target Milestone: --- Classification: Other FontForge 20190801 has a heap-based buffer overflow in the Type2NotDefSplines() function in splinesave.c. Upstream Issue: https://github.com/fontforge/fontforge/issues/4085 -- You are receiving this mail because: You are on the CC list for the bug.

4 years

1
1
0 / 0

[Bug 1806271] New: dropped stix-math-fonts subpackage causes broken dependencies

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1806271 Bug ID: 1806271 Summary: dropped stix-math-fonts subpackage causes broken dependencies Product: Fedora Version: rawhide Status: NEW Component: stix-fonts Assignee: nicolas.mailhot(a)laposte.net Reporter: decathorpe(a)gmail.com QA Contact: extras-qa(a)fedoraproject.org CC: fonts-bugs(a)lists.fedoraproject.org, nicolas.mailhot(a)laposte.net, paul(a)frixxon.co.uk Target Milestone: --- Classification: Fedora With the transition to new forge-based fonts macros, the stix-math-tonts subpackage was dropped, but some packages depend on that. They are now not installable on fedora 32+ because that package is gone (only Obsoleted, not Provided). This affects at least sagemath and texlive-stix. -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 1 month

1
15
0 / 0

[Bug 1805743] Review Request: impallari-dancing-script-fonts - A friendly, informal and spontaneous cursive font family

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1805743 --- Comment #8 from Parag AN(पराग) <panemade(a)gmail.com> --- Thank you. Glad my review helped here. -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 1 month

1
0
0 / 0

[Bug 1805743] Review Request: impallari-dancing-script-fonts - A friendly, informal and spontaneous cursive font family

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1805743 --- Comment #7 from Nicolas Mailhot <nicolas.mailhot(a)laposte.net> --- Ok I found the cause, it’s not a weird rpm or macro bug, it’s the usual stupid PEBCAK https://src.fedoraproject.org/rpms/impallari-dancing-script-fonts/blob/21... Sorry about the waste of time, and good catch up! -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 1 month

1
0
0 / 0

[Bug 1790042] New: CVE-2020-5395 fontforge: Use-after-free in SFD_GetFontMetaData function in sfd.c [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1790042 Bug ID: 1790042 Summary: CVE-2020-5395 fontforge: Use-after-free in SFD_GetFontMetaData function in sfd.c [fedora-all] Product: Fedora Version: 31 Status: NEW Component: fontforge Keywords: Security, SecurityTracking Severity: low Priority: low Assignee: kevin(a)scrye.com Reporter: psampaio(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: fonts-bugs(a)lists.fedoraproject.org, kevin(a)scrye.com, paul(a)frixxon.co.uk, pnemade(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 1 month

1
9
0 / 0

[Bug 1804509] New: fonttools-4.4.0 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1804509 Bug ID: 1804509 Summary: fonttools-4.4.0 is available Product: Fedora Version: rawhide Status: NEW Component: fonttools Keywords: FutureFeature, Triaged Assignee: pnemade(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: fonts-bugs(a)lists.fedoraproject.org, pnemade(a)redhat.com, sshedmak(a)redhat.com, tagoh(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 4.4.0 Current version/release in rawhide: 4.3.0-1.fc32 URL: https://github.com/fonttools/fonttools/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/7388/ -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 2 months

1
7
0 / 0

[Bug 1805743] Review Request: impallari-dancing-script-fonts - A friendly, informal and spontaneous cursive font family

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1805743 --- Comment #6 from Nicolas Mailhot <nicolas.mailhot(a)laposte.net> --- Interesting! It used to work fine and indeed it worked fine as late as 3 days ago for https://koji.fedoraproject.org/koji/rpminfo?rpmID=20704895 that uses the exact same spec construct and was built with the same fonts macro package This is mostly a tidy-up problem (the files are still packaged, but in doc as we used to do some years ago) but it’s annoying. I will investigate -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 2 months

1
0
0 / 0

[Bug 1807696] New: config file precedence of 50 overrides local.conf

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1807696 Bug ID: 1807696 Summary: config file precedence of 50 overrides local.conf Product: Fedora Version: 32 Hardware: All OS: Linux Status: NEW Component: bitstream-vera-fonts Severity: medium Assignee: nicolas.mailhot(a)laposte.net Reporter: awilliam(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: caillon+fedoraproject(a)gmail.com, caolanm(a)redhat.com, cz172638(a)gmail.com, fonts-bugs(a)lists.fedoraproject.org, gnome-sig(a)lists.fedoraproject.org, john.j5live(a)gmail.com, mclasen(a)redhat.com, nicolas.mailhot(a)laposte.net, pavel.lisy(a)gmail.com, rhughes(a)redhat.com, rstrode(a)redhat.com, sandmann(a)redhat.com Target Milestone: --- Classification: Fedora The bitstream-vera-fonts packages were recently given fontconfig config snippets with a precedence of 50. Trouble is, this seems to override customizations in local.conf, because the snippet that loads local.conf has precedence 51. So even though I had this in local.conf: <alias> <family>sans-serif</family> <prefer> <family>Cantarell</family> <family>Droid Sans</family> <family>Bitstream Vera Sans</family> <family>DejaVu Sans</family> <family>Verdana</family> <family>Arial</family> <family>Albany AMT</family> <family>Luxi Sans</family> <family>Nimbus Sans L</family> <family>Helvetica</family> <family>Lucida Sans Unicode</family> <family>BPG Glaho International</family>  <family>Tahoma</family>  </prefer> </alias> I was getting this from fontconfig: [root@adam conf.d]# fc-match "sans" Vera.ttf: "Bitstream Vera Sans" "Regular" because 50-bitstream-vera-sans-fonts.conf has this: <alias> <family>sans-serif</family> <prefer> <family>Bitstream Vera Sans</family> </prefer> </alias> if I moved 50-bitstream-vera-sans-fonts.conf to 52-bitstream-vera-sans-fonts.conf , and ran fc-cache, fontconfig would give me Cantarell. I've now just replaced my local.conf with a 10- precedence config snippet, but still this seems wrong, I think maybe that specific <family><prefer> bit should be split out into a file with 60ish precedence? -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 2 months

1
2
0 / 0

[Bug 1805743] Review Request: impallari-dancing-script-fonts - A friendly, informal and spontaneous cursive font family

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1805743 --- Comment #5 from Parag AN(पराग) <panemade(a)gmail.com> --- The way I was trying to find %license via expanding the macros did not catch %license macro, hence I noted that in my reviews. I think I got the pattern now how fedora-review output is saying missing %license in some cases. I would like to know more about this package. This package spec contains %global fontlicenses OFL.txt I checked its koji build and could not find license directory getting created. See https://koji.fedoraproject.org/koji/rpminfo?rpmID=20737044 -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 2 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

fonts-bugs February 2020