From d05dafe7d3b94c6ed39e4cf40630c0d16919b5a3 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Tue, 27 Feb 2024 10:55:08 +0800
Subject: [PATCH] Fix CVE-2024-25081 and CVE-2024-25082

---
 CVE-2024-25081_CVE-2024-25082.patch | 178 ++++++++++++++++++++++++++++
 fontforge.spec                      |   7 +-
 2 files changed, 184 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2024-25081_CVE-2024-25082.patch

diff --git a/CVE-2024-25081_CVE-2024-25082.patch b/CVE-2024-25081_CVE-2024-25082.patch
new file mode 100644
index 0000000..06de9e4
--- /dev/null
+++ b/CVE-2024-25081_CVE-2024-25082.patch
@@ -0,0 +1,178 @@
+From 216eb14b558df344b206bf82e2bdaf03a1f2f429 Mon Sep 17 00:00:00 2001
+From: Peter Kydas <pk@canva.com>
+Date: Tue, 6 Feb 2024 20:03:04 +1100
+Subject: [PATCH] fix splinefont shell command injection (#5367)
+
+---
+ fontforge/splinefont.c | 125 +++++++++++++++++++++++++++++------------
+ 1 file changed, 90 insertions(+), 35 deletions(-)
+
+diff --git a/fontforge/splinefont.c b/fontforge/splinefont.c
+index 239fdc035b..647daee109 100644
+--- a/fontforge/splinefont.c
++++ b/fontforge/splinefont.c
+@@ -788,11 +788,14 @@ return( name );
+ 
+ char *Unarchive(char *name, char **_archivedir) {
+     char *dir = getenv("TMPDIR");
+-    char *pt, *archivedir, *listfile, *listcommand, *unarchivecmd, *desiredfile;
++    char *pt, *archivedir, *listfile, *desiredfile;
+     char *finalfile;
+     int i;
+     int doall=false;
+     static int cnt=0;
++    gchar *command[5];
++    gchar *stdoutresponse = NULL;
++    gchar *stderrresponse = NULL;
+ 
+     *_archivedir = NULL;
+ 
+@@ -827,18 +830,30 @@ return( NULL );
+     listfile = malloc(strlen(archivedir)+strlen("/" TOC_NAME)+1);
+     sprintf( listfile, "%s/" TOC_NAME, archivedir );
+ 
+-    listcommand = malloc( strlen(archivers[i].unarchive) + 1 +
+-			strlen( archivers[i].listargs) + 1 +
+-			strlen( name ) + 3 +
+-			strlen( listfile ) +4 );
+-    sprintf( listcommand, "%s %s %s > %s", archivers[i].unarchive,
+-	    archivers[i].listargs, name, listfile );
+-    if ( system(listcommand)!=0 ) {
+-	free(listcommand); free(listfile);
+-	ArchiveCleanup(archivedir);
+-return( NULL );
+-    }
+-    free(listcommand);
++    command[0] = archivers[i].unarchive;
++    command[1] = archivers[i].listargs;
++    command[2] = name;
++    command[3] = NULL; // command args need to be NULL-terminated
++
++    if ( g_spawn_sync(
++                      NULL,
++                      command,
++                      NULL,
++                      G_SPAWN_SEARCH_PATH, 
++                      NULL, 
++                      NULL, 
++                      &stdoutresponse, 
++                      &stderrresponse, 
++                      NULL, 
++                      NULL
++                      ) == FALSE) { // did not successfully execute
++      ArchiveCleanup(archivedir);
++      return( NULL );
++    }
++    // Write out the listfile to be read in later
++    FILE *fp = fopen(listfile, "wb");
++    fwrite(stdoutresponse, strlen(stdoutresponse), 1, fp);
++    fclose(fp);
+ 
+     desiredfile = ArchiveParseTOC(listfile, archivers[i].ars, &doall);
+     free(listfile);
+@@ -847,22 +862,28 @@ return( NULL );
+ return( NULL );
+     }
+ 
+-    /* I tried sending everything to stdout, but that doesn't work if the */
+-    /*  output is a directory file (ufo, sfdir) */
+-    unarchivecmd = malloc( strlen(archivers[i].unarchive) + 1 +
+-			strlen( archivers[i].listargs) + 1 +
+-			strlen( name ) + 1 +
+-			strlen( desiredfile ) + 3 +
+-			strlen( archivedir ) + 30 );
+-    sprintf( unarchivecmd, "( cd %s ; %s %s %s %s ) > /dev/null", archivedir,
+-	    archivers[i].unarchive,
+-	    archivers[i].extractargs, name, doall ? "" : desiredfile );
+-    if ( system(unarchivecmd)!=0 ) {
+-	free(unarchivecmd); free(desiredfile);
+-	ArchiveCleanup(archivedir);
+-return( NULL );
++    command[0] = archivers[i].unarchive;
++    command[1] = archivers[i].extractargs;
++    command[2] = name;
++    command[3] = doall ? "" : desiredfile;
++    command[4] = NULL;
++
++    if ( g_spawn_sync(
++                      (gchar*)archivedir,
++                      command,
++                      NULL,
++                      G_SPAWN_SEARCH_PATH, 
++                      NULL, 
++                      NULL, 
++                      &stdoutresponse, 
++                      &stderrresponse, 
++                      NULL, 
++                      NULL
++                      ) == FALSE) { // did not successfully execute
++      free(desiredfile);
++      ArchiveCleanup(archivedir);
++      return( NULL );
+     }
+-    free(unarchivecmd);
+ 
+     finalfile = malloc( strlen(archivedir) + 1 + strlen(desiredfile) + 1);
+     sprintf( finalfile, "%s/%s", archivedir, desiredfile );
+@@ -885,20 +906,54 @@ struct compressors compressors[] = {
+ 
+ char *Decompress(char *name, int compression) {
+     char *dir = getenv("TMPDIR");
+-    char buf[1500];
+     char *tmpfn;
+-
++    gchar *command[4];
++    gint stdout_pipe;
++    gchar buffer[4096];
++    gssize bytes_read;
++    GByteArray *binary_data = g_byte_array_new();
++    
+     if ( dir==NULL ) dir = P_tmpdir;
+     tmpfn = malloc(strlen(dir)+strlen(GFileNameTail(name))+2);
+     strcpy(tmpfn,dir);
+     strcat(tmpfn,"/");
+     strcat(tmpfn,GFileNameTail(name));
+     *strrchr(tmpfn,'.') = '\0';
+-    snprintf( buf, sizeof(buf), "%s < %s > %s", compressors[compression].decomp, name, tmpfn );
+-    if ( system(buf)==0 )
+-return( tmpfn );
+-    free(tmpfn);
+-return( NULL );
++
++    command[0] = compressors[compression].decomp;
++    command[1] = "-c";
++    command[2] = name;
++    command[3] = NULL;
++
++    // Have to use async because g_spawn_sync doesn't handle nul-bytes in the output (which happens with binary data)
++    if (g_spawn_async_with_pipes(
++      NULL, 
++      command, 
++      NULL, 
++      G_SPAWN_DO_NOT_REAP_CHILD | G_SPAWN_SEARCH_PATH,
++      NULL, 
++      NULL,  
++      NULL,
++      NULL, 
++      &stdout_pipe, 
++      NULL, 
++      NULL) == FALSE) {
++      //command has failed
++      return( NULL );
++    }
++
++    // Read binary data from pipe and output to file
++    while ((bytes_read = read(stdout_pipe, buffer, sizeof(buffer))) > 0) {
++        g_byte_array_append(binary_data, (guint8 *)buffer, bytes_read);
++    }
++    close(stdout_pipe);
++
++    FILE *fp = fopen(tmpfn, "wb");
++    fwrite(binary_data->data, sizeof(gchar), binary_data->len, fp);
++    fclose(fp);
++    g_byte_array_free(binary_data, TRUE);
++
++		return(tmpfn);
+ }
+ 
+ static char *ForceFileToHaveName(FILE *file, char *exten) {
diff --git a/fontforge.spec b/fontforge.spec
index 25b0cd9..174ab2b 100644
--- a/fontforge.spec
+++ b/fontforge.spec
@@ -3,12 +3,14 @@
 
 Name:           fontforge
 Version:        20230101
-Release:        2
+Release:        3
 Summary:        Outline and bitmap font editor
 License:        GPLv3+
 URL:            http://fontforge.github.io/
 Source0:        https://github.com/fontforge/%{name}/archive/%{gittag0}.tar.gz#/%{name}-%{version}.tar.gz
 Patch0:         Fix-errors-in-French-and-Italian-translations.patch
+# https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429
+Patch1:         CVE-2024-25081_CVE-2024-25082.patch
 
 Requires:       xdg-utils potrace hicolor-icon-theme
 BuildRequires:  gcc-c++ cmake libjpeg-devel libtiff-devel libpng-devel giflib-devel libxml2-devel
@@ -107,6 +109,9 @@ popd
 %{_mandir}/man1/*.1*
 
 %changelog
+* Tue Feb 27 2024 yaoxin <yao_xin001@hoperun.com> - 20230101-3
+- Fix CVE-2024-25081 and CVE-2024-25082
+
 * Wed Jul 19 2023 yaoxin <yao_xin001@hoperun.com> - 20230101-2
 - Fix build error caused by gettext update to 0.22
 
-- 
Gitee