fonts-bugs January 2026

fonts-bugs@lists.fedoraproject.org

2 participants
28 discussions

[Bug 2426593] New: CVE-2025-15279 fontforge: FontForge GUtils BMP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability [fedora-42]
by bugzilla＠redhat.com 31 Jan '26

31 Jan '26

https://bugzilla.redhat.com/show_bug.cgi?id=2426593 Bug ID: 2426593 Summary: CVE-2025-15279 fontforge: FontForge GUtils BMP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability [fedora-42] Product: Fedora Version: 42 Status: NEW Whiteboard: {"flaws": ["cab9b630-800b-43be-8e4e-d2a23173d42e"]} Component: fontforge Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: pnemade(a)redhat.com Reporter: saroy(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: fonts-bugs(a)lists.fedoraproject.org, kevin(a)scrye.com, pnemade(a)redhat.com Blocks: 2426421 Target Milestone: --- Classification: Fedora Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT. https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essent… -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2426593 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 3

[Bug 2426589] New: CVE-2025-15275 fontforge: FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability [fedora-42]
by bugzilla＠redhat.com 31 Jan '26

31 Jan '26

https://bugzilla.redhat.com/show_bug.cgi?id=2426589 Bug ID: 2426589 Summary: CVE-2025-15275 fontforge: FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability [fedora-42] Product: Fedora Version: 42 Status: NEW Whiteboard: {"flaws": ["5af30362-e9b2-494f-8f80-baaa55c5a07e"]} Component: fontforge Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: pnemade(a)redhat.com Reporter: saroy(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: fonts-bugs(a)lists.fedoraproject.org, kevin(a)scrye.com, pnemade(a)redhat.com Blocks: 2426429 Target Milestone: --- Classification: Fedora Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT. https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essent… -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2426589 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 3

[Bug 2426577] New: CVE-2025-15269 fontforge: FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability [fedora-42]
by bugzilla＠redhat.com 31 Jan '26

31 Jan '26

https://bugzilla.redhat.com/show_bug.cgi?id=2426577 Bug ID: 2426577 Summary: CVE-2025-15269 fontforge: FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability [fedora-42] Product: Fedora Version: 42 Status: NEW Whiteboard: {"flaws": ["0863e5e2-7597-4ea2-8788-270434bc8584"]} Component: fontforge Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: pnemade(a)redhat.com Reporter: saroy(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: fonts-bugs(a)lists.fedoraproject.org, kevin(a)scrye.com, pnemade(a)redhat.com Blocks: 2426423 Target Milestone: --- Classification: Fedora Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT. https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essent… -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2426577 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 3

[Bug 2426597] New: CVE-2025-15279 fontforge: FontForge GUtils BMP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability [fedora-43]
by bugzilla＠redhat.com 31 Jan '26

31 Jan '26

https://bugzilla.redhat.com/show_bug.cgi?id=2426597 Bug ID: 2426597 Summary: CVE-2025-15279 fontforge: FontForge GUtils BMP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability [fedora-43] Product: Fedora Version: 43 Status: NEW Whiteboard: {"flaws": ["cab9b630-800b-43be-8e4e-d2a23173d42e"]} Component: fontforge Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: pnemade(a)redhat.com Reporter: saroy(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: fonts-bugs(a)lists.fedoraproject.org, kevin(a)scrye.com, pnemade(a)redhat.com Blocks: 2426421 Target Milestone: --- Classification: Fedora Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT. https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essent… -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2426597 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 3

[Bug 2426591] New: CVE-2025-15275 fontforge: FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability [fedora-43]
by bugzilla＠redhat.com 31 Jan '26

31 Jan '26

https://bugzilla.redhat.com/show_bug.cgi?id=2426591 Bug ID: 2426591 Summary: CVE-2025-15275 fontforge: FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability [fedora-43] Product: Fedora Version: 43 Status: NEW Whiteboard: {"flaws": ["5af30362-e9b2-494f-8f80-baaa55c5a07e"]} Component: fontforge Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: pnemade(a)redhat.com Reporter: saroy(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: fonts-bugs(a)lists.fedoraproject.org, kevin(a)scrye.com, pnemade(a)redhat.com Blocks: 2426429 Target Milestone: --- Classification: Fedora Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT. https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essent… -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2426591 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 3

[Bug 2426578] New: CVE-2025-15269 fontforge: FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability [fedora-43]
by bugzilla＠redhat.com 31 Jan '26

31 Jan '26

https://bugzilla.redhat.com/show_bug.cgi?id=2426578 Bug ID: 2426578 Summary: CVE-2025-15269 fontforge: FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability [fedora-43] Product: Fedora Version: 43 Status: NEW Whiteboard: {"flaws": ["0863e5e2-7597-4ea2-8788-270434bc8584"]} Component: fontforge Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: pnemade(a)redhat.com Reporter: saroy(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: fonts-bugs(a)lists.fedoraproject.org, kevin(a)scrye.com, pnemade(a)redhat.com Blocks: 2426423 Target Milestone: --- Classification: Fedora Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT. https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essent… -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2426578 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 3

[Bug 2435102] New: senamirmir-washra-fonts: FTBFS in Fedora rawhide/f44
by bugzilla＠redhat.com 29 Jan '26

29 Jan '26

https://bugzilla.redhat.com/show_bug.cgi?id=2435102 Bug ID: 2435102 Summary: senamirmir-washra-fonts: FTBFS in Fedora rawhide/f44 Product: Fedora Version: rawhide Status: NEW Component: senamirmir-washra-fonts Assignee: aekoroglu(a)gmail.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: aekoroglu(a)gmail.com, fonts-bugs(a)lists.fedoraproject.org Blocks: 2384424 (F44FTBFS) Target Milestone: --- Classification: Fedora senamirmir-washra-fonts failed to build from source in Fedora rawhide/f44 https://koji.fedoraproject.org/koji/taskinfo?taskID=141219450 For details on the mass rebuild see: https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild Please fix senamirmir-washra-fonts at your earliest convenience and set the bug's status to ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks, senamirmir-washra-fonts will be orphaned. Before branching of Fedora 45, senamirmir-washra-fonts will be retired, if it still fails to build. For more details on the FTBFS policy, please visit: https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails… Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=2384424 [Bug 2384424] Fedora 44 FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2435102 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 3

[Bug 2431892] New: Provide a meta-package that prioritizes VFs
by bugzilla＠redhat.com 28 Jan '26

28 Jan '26

https://bugzilla.redhat.com/show_bug.cgi?id=2431892 Bug ID: 2431892 Summary: Provide a meta-package that prioritizes VFs Product: Fedora Version: 43 Hardware: x86_64 OS: Linux Status: NEW Component: google-noto-fonts Severity: medium Assignee: tagoh(a)redhat.com Reporter: EpicTux123(a)proton.me QA Contact: extras-qa(a)fedoraproject.org CC: fonts-bugs(a)lists.fedoraproject.org, i18n-bugs(a)lists.fedoraproject.org, petersen(a)redhat.com, pwu(a)redhat.com, tagoh(a)redhat.com Target Milestone: --- Classification: Fedora Hi there. Currently, the "google-noto-fonts-all" meta-package installs many font duplicates. Fedora seems to prever VF variants ( https://fedoraproject.org/wiki/Changes/VariableNotoFonts , https://fedoraproject.org/wiki/Changes/Noto_CJK_Variable_Fonts ), but the meta-package installs both Static and VF variants of the same fonts. Example from command "dnf repoquery --requires google-noto-fonts-all": ------------------------------------------------------ google-noto-serif-hebrew-fonts = 20250901-1.fc43 google-noto-serif-hebrew-fonts = 20251101-2.fc43 google-noto-serif-hebrew-vf-fonts = 20250901-1.fc43 google-noto-serif-hebrew-vf-fonts = 20251101-2.fc43 ------------------------------------------------------ I would like to request the creation of a meta-package that prioritizes VF variants and don't install their equivalent duplicates in Static variant. For example, the meta-package would install Hebrew VF fonts, but not Hebrew Static fonts. This eliminates the duplicates, while still keeping the Static fonts in a meta-package for the fonts that don't have VF variants. Additional note: the current "google-noto-fonts-all" should probably install the other "-all" meta-packages as well, since it includes all of their deps as well. Thanks. Reproducible: Always -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2431892 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 4

NEW ORDER - PO-0013 & 0014
by unknown＠example.com 27 Jan '26

27 Jan '26

Dear, fonts-bugs

1 0

[Bug 2402600] New: google-roboto-fonts-3.013 is available
by bugzilla＠redhat.com 15 Jan '26

15 Jan '26

https://bugzilla.redhat.com/show_bug.cgi?id=2402600 Bug ID: 2402600 Summary: google-roboto-fonts-3.013 is available Product: Fedora Version: rawhide Status: NEW Component: google-roboto-fonts Keywords: FutureFeature, Triaged Assignee: dtardon(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: davide(a)cavalca.name, dtardon(a)redhat.com, epel-packagers-sig(a)lists.fedoraproject.org, fonts-bugs(a)lists.fedoraproject.org, i18n-bugs(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Releases retrieved: 3.000, 3.001, 3.002, 3.003, 3.004, 3.005, 3.006, 3.007, 3.008, 3.009, 3.010, 3.011, 3.012, 3.013 Upstream release that is considered latest: 3.013 Current version/release in rawhide: 2.138-20.fc43 URL: https://github.com/googlefonts/roboto-3-classic Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_M… Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/12041/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/google-roboto-fonts -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2402600 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 5

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

fonts-bugs January 2026