From: Raspbian automatic forward porter Date: Thu, 4 Apr 2024 17:19:06 +0000 (+0100) Subject: Merge version 1:20201107~dfsg-4+rpi1 and 1:20201107~dfsg-4+deb11u1 to produce 1:20201... X-Git-Tag: archive/raspbian/1%20201107_dfsg-4+rpi1+deb11u1^0 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=6f40cb5b21dcc6c8cefc876f9f5ec827b757bf18;p=fontforge.git Merge version 1:20201107~dfsg-4+rpi1 and 1:20201107~dfsg-4+deb11u1 to produce 1:20201107~dfsg-4+rpi1+deb11u1 --- 6f40cb5b21dcc6c8cefc876f9f5ec827b757bf18 diff --cc debian/changelog index 5eb8295,431a40a..0ae4fcb --- a/debian/changelog +++ b/debian/changelog @@@ -1,11 -1,12 +1,21 @@@ - fontforge (1:20201107~dfsg-4+rpi1) bullseye-staging; urgency=medium ++fontforge (1:20201107~dfsg-4+rpi1+deb11u1) bullseye-staging; urgency=medium + + [changes brought forward from 1:20190801~dfsg-4+rpi1 by Peter Michael Green at Wed, 01 Apr 2020 17:53:42 +0000] + * Disable call to SplineFontFree in _MergeFont to work around use after + free bug (see debian bug 948876). + * Fix clean target. + - -- Raspbian forward porter Fri, 22 Jan 2021 05:12:58 +0000 ++ -- Raspbian forward porter Thu, 04 Apr 2024 17:19:06 +0000 ++ + fontforge (1:20201107~dfsg-4+deb11u1) bullseye-security; urgency=medium + + * Non-maintainer upload. + * CVE-2024-25081: Spline Font command injection via crafted filenames + * CVE-2024-25082: Spline Font command injection via crafted archives + or compressed files + * Closes: #1064967 + + -- Adrian Bunk Fri, 15 Mar 2024 22:56:38 +0200 fontforge (1:20201107~dfsg-4) unstable; urgency=medium diff --cc debian/patches/series index 116a42d,0b94d76..5cafb65 --- a/debian/patches/series +++ b/debian/patches/series @@@ -5,4 -5,4 +5,5 @@@ 0005-hurd-rename-extended-to-avoid-conflict-with-gnumach-dev.patch 2003_avoid_privacy_breach.patch 2004-fix-privacy-breach-logo.patch + 0001-fix-splinefont-shell-command-injection-5367.patch +4000-use-after-free-hack.patch