Heap-Based Buffer Overflow in FontForge by Mantissa Corporation
CVE-2020-5496

8.8HIGH

Key Information:

Vendor

Fontforge

Status
Fontforge
Vendor
CVE Published:
3 January 2020

What is CVE-2020-5496?

The vulnerability in FontForge, specifically in the Type2NotDefSplines() function within the splinesave.c file, presents a potential risk via a heap-based buffer overflow. An attacker could exploit this issue to execute arbitrary code or potentially compromise system integrity by carefully crafting specific inputs. Users are advised to update to the latest secure version to mitigate any potential risks associated with this vulnerability. For more details, refer to the available advisories.

References

https://github.com/fontforge/fontforge/issues/4085
http://lists.opensuse.org/opensuse-security-announce/2020...
vendor-advisory
https://security.gentoo.org/glsa/202004-14
vendor-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.