CVE-2024-25081: Command Injection
Published Feb 26, 2024
·Updated
Splinefont in FontForge through 20230101 allows command injection via crafted filenames.
Affected Software
9 affected componentsFixes available
ubuntu/fontforge<1:20170731~dfsg-1ubuntu0.1~
1:20170731~dfsg-1ubuntu0.1~
ubuntu/fontforge<1:20190801~dfsg-4ubuntu0.1
1:20190801~dfsg-4ubuntu0.1
ubuntu/fontforge<1:20201107~dfsg-4+
1:20201107~dfsg-4+
ubuntu/fontforge<1:20230101~dfsg-1ubuntu0.1
1:20230101~dfsg-1ubuntu0.1
ubuntu/fontforge<20120731.
20120731.
debian/fontforge
1:20201107~dfsg-4+deb11u11:20230101~dfsg-1.1~deb12u11:20230101~dfsg-3
FontForge FontForge<=20230101
Debian Debian Linux=10.0
Fedoraproject Fedora=40
Remediation
Patch Available
Event History
Feb 26, 2024
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Data Sourced
via NVD·04:27 PM
Description
Data Sourced
via Red Hat·09:38 PM
DescriptionSeverityAffected Software
Mar 8, 2024
News Published
via The Register·03:57 AM
News Published
via The Register·04:00 AM
Jul 1, 2024
Data Sourced
via Launchpad·10:48 AM
Description
Frequently Asked Questions
1
What is the severity of CVE-2024-25081?
CVE-2024-25081 has a high severity due to its command injection vulnerability allowing potential remote code execution.
2
How do I fix CVE-2024-25081?
To fix CVE-2024-25081, users should upgrade to a patched version of FontForge, specifically above 1:20230101~dfsg-1ubuntu0.1.
3
What versions of FontForge are affected by CVE-2024-25081?
CVE-2024-25081 affects FontForge versions earlier than 1:20230101~dfsg-1ubuntu0.1 across various Ubuntu and Debian releases.
4
What impact does CVE-2024-25081 have on users?
CVE-2024-25081 can allow attackers to execute arbitrary commands on a vulnerable system through specially crafted filenames.
5
Is there any workaround for CVE-2024-25081?
As of now, no known workarounds exist for CVE-2024-25081; the best action is to update to a secure version.