ID CVE-2020-5395
Summary FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd.c.
References
Vulnerable Configurations
  • cpe:2.3:a:fontforge:fontforge:20190801:*:*:*:*:*:*:*
    cpe:2.3:a:fontforge:fontforge:20190801:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 08-03-2024 - 01:15)
Impact:
Exploitability:
CWE CWE-416
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • bugzilla
    id 1790041
    title CVE-2020-5395 fontforge: out-of-bounds write in SFD_GetFontMetaData function in sfd.c
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 8 is installed
        oval oval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • comment fontforge is earlier than 0:20170731-14.el8
            oval oval:com.redhat.rhsa:tst:20201921001
          • comment fontforge is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20201921002
        • AND
          • comment fontforge-debugsource is earlier than 0:20170731-14.el8
            oval oval:com.redhat.rhsa:tst:20201921003
          • comment fontforge-debugsource is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20201921004
    rhsa
    id RHSA-2020:1921
    released 2020-04-28
    severity Moderate
    title RHSA-2020:1921: fontforge security update (Moderate)
  • bugzilla
    id 1790041
    title CVE-2020-5395 fontforge: out-of-bounds write in SFD_GetFontMetaData function in sfd.c
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment fontforge is earlier than 0:20120731b-13.el7
            oval oval:com.redhat.rhsa:tst:20203966001
          • comment fontforge is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20201921002
        • AND
          • comment fontforge-devel is earlier than 0:20120731b-13.el7
            oval oval:com.redhat.rhsa:tst:20203966003
          • comment fontforge-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20203966004
    rhsa
    id RHSA-2020:3966
    released 2020-09-29
    severity Moderate
    title RHSA-2020:3966: fontforge security update (Moderate)
rpms
  • fontforge-0:20170731-14.el8
  • fontforge-debuginfo-0:20170731-14.el8
  • fontforge-debugsource-0:20170731-14.el8
  • fontforge-0:20120731b-13.el7
  • fontforge-debuginfo-0:20120731b-13.el7
  • fontforge-devel-0:20120731b-13.el7
refmap via4
fedora
  • FEDORA-2020-229ad63391
  • FEDORA-2020-906ee5b38d
gentoo GLSA-202004-14
misc https://github.com/fontforge/fontforge/issues/4084
suse openSUSE-SU-2020:0089
Last major update 08-03-2024 - 01:15
Published 03-01-2020 - 20:15
Last modified 08-03-2024 - 01:15
Back to Top