Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fontforge: CVE-2020-5395, CVE-2020-5496 #88557

Closed
wants to merge 2 commits into from
Closed

fontforge: CVE-2020-5395, CVE-2020-5496 #88557

wants to merge 2 commits into from

Conversation

erictapen
Copy link
Member

@erictapen erictapen commented May 21, 2020
edited

Motivation for this change

Close #88291.

Things done

See the commit message for reasoning.

This needs to be backported to nixos-20.03.

  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

puzzlewolf
puzzlewolf reviewed May 24, 2020
View reviewed changes
Copy link
Contributor

@puzzlewolf puzzlewolf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't nixpkgs-review this giant rebuild on my laptop, sorry. But you could take the opportunity and replace fetchurl with fetchFromGithub and http with https in meta.homepage. :)

@erictapen
fontforge: patch for CVE-2020-5395 and CVE-2020-5496
156fc5f 
These CVEs have two different issues being tagged as 'Exploit'.

CVE-2020-5395 [0]: fontforge/fontforge#4084
CVE-2020-5496 [1]: fontforge/fontforge#4085

Both issues refer to [2] as a fix, so I guess this patch fixes it.

[0] https://nvd.nist.gov/vuln/detail/CVE-2020-5395
[1] https://nvd.nist.gov/vuln/detail/CVE-2020-5496
[2] fontforge/fontforge@048a91e
@erictapen
fontforge: update meta.homepage
a16ff5e 
The old homepage fontforge.github.io redirects to fontforge.org
@erictapen
Copy link
Member Author

Fixed the https URL.

We use fetchurl, as we are building from the release tarball, not from source. I'm not satisfied with the situation but it's non-trivial to fix, as the release tarball contains more than just the sources. I'm working on a PR that fixes the issue and upgrades to 20200314.

@puzzlewolf
Copy link
Contributor

Ah, that makes sense. I was wondering why you didn't just update 😃

@FRidh
Copy link
Member

FRidh commented May 29, 2020

ofborg failed to fetch the patch

@FRidh FRidh added this to WIP in Staging via automation May 29, 2020
@erictapen
Copy link
Member Author

That's weird, the URL is still valid. Let's retry it.
@GrahamcOfBorg build fontforge

@erictapen
Copy link
Member Author

/nix/store/01d4cg8iwh6y0gb7zc0vz84q3spc927y-CVE-2020-5395+CVE-2020-5496.patch.drv definetely builds locally for me. @grahamc do you have an idea?

@FRidh note that the check fontforge on {x86_64-linux,aarch64-linux} resulted in a success.

@FRidh
Copy link
Member

FRidh commented Jun 7, 2020

I've merged #89583.

@FRidh FRidh closed this Jun 7, 2020
Staging automation moved this from WIP to Done Jun 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@puzzlewolf puzzlewolf puzzlewolf left review comments

Assignees
No one assigned
Labels
10.rebuild-darwin: 501+ 10.rebuild-darwin: 1001-2500 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+ 11.by: package-maintainer
Projects
Staging
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@erictapen @puzzlewolf @FRidh