From cd2ccf72e352598c1e3bb799f228f74b74213c9c Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Sat, 11 Oct 2025 00:19:54 +0800 Subject: [PATCH] 20251009 --- .gitattributes | 1 + CVE-2024-25081_CVE-2024-25082.patch | 178 ------------------ ...s-in-French-and-Italian-translations.patch | 178 ------------------ ...230101.tar.gz => fontforge-20251009.tar.xz | 4 +- fontforge.spec | 19 +- 5 files changed, 12 insertions(+), 368 deletions(-) delete mode 100644 CVE-2024-25081_CVE-2024-25082.patch delete mode 100644 Fix-errors-in-French-and-Italian-translations.patch rename fontforge-20230101.tar.gz => fontforge-20251009.tar.xz (32%) diff --git a/.gitattributes b/.gitattributes index 0a80fdc..db4e346 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1 +1,2 @@ *.gz filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text diff --git a/CVE-2024-25081_CVE-2024-25082.patch b/CVE-2024-25081_CVE-2024-25082.patch deleted file mode 100644 index 06de9e4..0000000 --- a/CVE-2024-25081_CVE-2024-25082.patch +++ /dev/null @@ -1,178 +0,0 @@ -From 216eb14b558df344b206bf82e2bdaf03a1f2f429 Mon Sep 17 00:00:00 2001 -From: Peter Kydas -Date: Tue, 6 Feb 2024 20:03:04 +1100 -Subject: [PATCH] fix splinefont shell command injection (#5367) - ---- - fontforge/splinefont.c | 125 +++++++++++++++++++++++++++++------------ - 1 file changed, 90 insertions(+), 35 deletions(-) - -diff --git a/fontforge/splinefont.c b/fontforge/splinefont.c -index 239fdc035b..647daee109 100644 ---- a/fontforge/splinefont.c -+++ b/fontforge/splinefont.c -@@ -788,11 +788,14 @@ return( name ); - - char *Unarchive(char *name, char **_archivedir) { - char *dir = getenv("TMPDIR"); -- char *pt, *archivedir, *listfile, *listcommand, *unarchivecmd, *desiredfile; -+ char *pt, *archivedir, *listfile, *desiredfile; - char *finalfile; - int i; - int doall=false; - static int cnt=0; -+ gchar *command[5]; -+ gchar *stdoutresponse = NULL; -+ gchar *stderrresponse = NULL; - - *_archivedir = NULL; - -@@ -827,18 +830,30 @@ return( NULL ); - listfile = malloc(strlen(archivedir)+strlen("/" TOC_NAME)+1); - sprintf( listfile, "%s/" TOC_NAME, archivedir ); - -- listcommand = malloc( strlen(archivers[i].unarchive) + 1 + -- strlen( archivers[i].listargs) + 1 + -- strlen( name ) + 3 + -- strlen( listfile ) +4 ); -- sprintf( listcommand, "%s %s %s > %s", archivers[i].unarchive, -- archivers[i].listargs, name, listfile ); -- if ( system(listcommand)!=0 ) { -- free(listcommand); free(listfile); -- ArchiveCleanup(archivedir); --return( NULL ); -- } -- free(listcommand); -+ command[0] = archivers[i].unarchive; -+ command[1] = archivers[i].listargs; -+ command[2] = name; -+ command[3] = NULL; // command args need to be NULL-terminated -+ -+ if ( g_spawn_sync( -+ NULL, -+ command, -+ NULL, -+ G_SPAWN_SEARCH_PATH, -+ NULL, -+ NULL, -+ &stdoutresponse, -+ &stderrresponse, -+ NULL, -+ NULL -+ ) == FALSE) { // did not successfully execute -+ ArchiveCleanup(archivedir); -+ return( NULL ); -+ } -+ // Write out the listfile to be read in later -+ FILE *fp = fopen(listfile, "wb"); -+ fwrite(stdoutresponse, strlen(stdoutresponse), 1, fp); -+ fclose(fp); - - desiredfile = ArchiveParseTOC(listfile, archivers[i].ars, &doall); - free(listfile); -@@ -847,22 +862,28 @@ return( NULL ); - return( NULL ); - } - -- /* I tried sending everything to stdout, but that doesn't work if the */ -- /* output is a directory file (ufo, sfdir) */ -- unarchivecmd = malloc( strlen(archivers[i].unarchive) + 1 + -- strlen( archivers[i].listargs) + 1 + -- strlen( name ) + 1 + -- strlen( desiredfile ) + 3 + -- strlen( archivedir ) + 30 ); -- sprintf( unarchivecmd, "( cd %s ; %s %s %s %s ) > /dev/null", archivedir, -- archivers[i].unarchive, -- archivers[i].extractargs, name, doall ? "" : desiredfile ); -- if ( system(unarchivecmd)!=0 ) { -- free(unarchivecmd); free(desiredfile); -- ArchiveCleanup(archivedir); --return( NULL ); -+ command[0] = archivers[i].unarchive; -+ command[1] = archivers[i].extractargs; -+ command[2] = name; -+ command[3] = doall ? "" : desiredfile; -+ command[4] = NULL; -+ -+ if ( g_spawn_sync( -+ (gchar*)archivedir, -+ command, -+ NULL, -+ G_SPAWN_SEARCH_PATH, -+ NULL, -+ NULL, -+ &stdoutresponse, -+ &stderrresponse, -+ NULL, -+ NULL -+ ) == FALSE) { // did not successfully execute -+ free(desiredfile); -+ ArchiveCleanup(archivedir); -+ return( NULL ); - } -- free(unarchivecmd); - - finalfile = malloc( strlen(archivedir) + 1 + strlen(desiredfile) + 1); - sprintf( finalfile, "%s/%s", archivedir, desiredfile ); -@@ -885,20 +906,54 @@ struct compressors compressors[] = { - - char *Decompress(char *name, int compression) { - char *dir = getenv("TMPDIR"); -- char buf[1500]; - char *tmpfn; -- -+ gchar *command[4]; -+ gint stdout_pipe; -+ gchar buffer[4096]; -+ gssize bytes_read; -+ GByteArray *binary_data = g_byte_array_new(); -+ - if ( dir==NULL ) dir = P_tmpdir; - tmpfn = malloc(strlen(dir)+strlen(GFileNameTail(name))+2); - strcpy(tmpfn,dir); - strcat(tmpfn,"/"); - strcat(tmpfn,GFileNameTail(name)); - *strrchr(tmpfn,'.') = '\0'; -- snprintf( buf, sizeof(buf), "%s < %s > %s", compressors[compression].decomp, name, tmpfn ); -- if ( system(buf)==0 ) --return( tmpfn ); -- free(tmpfn); --return( NULL ); -+ -+ command[0] = compressors[compression].decomp; -+ command[1] = "-c"; -+ command[2] = name; -+ command[3] = NULL; -+ -+ // Have to use async because g_spawn_sync doesn't handle nul-bytes in the output (which happens with binary data) -+ if (g_spawn_async_with_pipes( -+ NULL, -+ command, -+ NULL, -+ G_SPAWN_DO_NOT_REAP_CHILD | G_SPAWN_SEARCH_PATH, -+ NULL, -+ NULL, -+ NULL, -+ NULL, -+ &stdout_pipe, -+ NULL, -+ NULL) == FALSE) { -+ //command has failed -+ return( NULL ); -+ } -+ -+ // Read binary data from pipe and output to file -+ while ((bytes_read = read(stdout_pipe, buffer, sizeof(buffer))) > 0) { -+ g_byte_array_append(binary_data, (guint8 *)buffer, bytes_read); -+ } -+ close(stdout_pipe); -+ -+ FILE *fp = fopen(tmpfn, "wb"); -+ fwrite(binary_data->data, sizeof(gchar), binary_data->len, fp); -+ fclose(fp); -+ g_byte_array_free(binary_data, TRUE); -+ -+ return(tmpfn); - } - - static char *ForceFileToHaveName(FILE *file, char *exten) { diff --git a/Fix-errors-in-French-and-Italian-translations.patch b/Fix-errors-in-French-and-Italian-translations.patch deleted file mode 100644 index e598ab3..0000000 --- a/Fix-errors-in-French-and-Italian-translations.patch +++ /dev/null @@ -1,178 +0,0 @@ -From 55d58f87ab1440f628f2071a6f6cc7ef9626c641 Mon Sep 17 00:00:00 2001 -From: Yaakov Selkowitz -Date: Thu, 6 Jul 2023 19:15:53 -0400 -Subject: [PATCH] Fix errors in French and Italian translations - -With gettext-0.22, these mismatches trigger errors: - -'msgstr' is not a valid C format string, unlike 'msgid'. Reason: In the -directive number 2, the argument size specifier is invalid. ---- - po/fr.po | 36 ++++++++++++++++++------------------ - po/it.po | 8 ++++---- - 2 files changed, 22 insertions(+), 22 deletions(-) - -diff --git a/po/fr.po b/po/fr.po -index 26e446b380..cb492d7a00 100644 ---- a/po/fr.po -+++ b/po/fr.po -@@ -291,7 +291,7 @@ msgstr "chaîne %1$.30s pour %2$.30s" - #. GT: $4 is the changed flag ('*' for the changed items) - #, c-format - msgid "%1$.80s at %2$d from %3$.90s%4$s" --msgstr "%1$.80s à %2$d de %3$.90hs%4$s" -+msgstr "%1$.80s à %2$d de %3$.90s%4$s" - - #. GT: This is the title for a window showing a bitmap character - #. GT: It will look something like: -@@ -302,7 +302,7 @@ msgstr "%1$.80s à %2$d de %3$.90hs%4$s" - #. GT: $4 is the font name - #, c-format - msgid "%1$.80s at %2$d size %3$d from %4$.80s" --msgstr "%1$.80s (%2$d) taille %3$d de %4$.80hs" -+msgstr "%1$.80s (%2$d) taille %3$d de %4$.80s" - - #, c-format - msgid "%1$s from lookup subtable %2$.50s" -@@ -7433,7 +7433,7 @@ msgid "" - "Reverting the file will lose those changes.\n" - "Is that what you want?" - msgstr "" --"La fonte %1$.40s dans le fichier %2$.40hs a été modifiée.\n" -+"La fonte %1$.40s dans le fichier %2$.40s a été modifiée.\n" - "Revenir vous fera perdre toutes les modifications.\n" - "Voulez vous vraiment revenir ?" - -@@ -19925,7 +19925,7 @@ msgid "" - "The fonts %1$.30s and %2$.30s have a different number of glyphs or different " - "encodings" - msgstr "" --"Les fontes %1$.30s et %2$.30hs n'ont pas le même nombre de glyphes ou des " -+"Les fontes %1$.30s et %2$.30s n'ont pas le même nombre de glyphes ou des " - "codages différents" - - #, c-format -@@ -19933,7 +19933,7 @@ msgid "" - "The fonts %1$.30s and %2$.30s use different types of splines (one quadratic, " - "one cubic)" - msgstr "" --"Les fontes %1$.30s et %2$.30hs utilisent des courbes de Bézier d'ordres " -+"Les fontes %1$.30s et %2$.30s utilisent des courbes de Bézier d'ordres " - "différents (quadratique et cubique)" - - msgid "The generated font won't work with ATM" -@@ -19968,8 +19968,8 @@ msgid "" - "The glyph %1$.30s in font %2$.30s has a different hint mask on its contours " - "than in %3$.30s" - msgstr "" --"Le glyphe %1$.30s dans la police %2$.30hs a un masque de hints différent que " --"dans %3$.30hs" -+"Le glyphe %1$.30s dans la police %2$.30s a un masque de hints différent que " -+"dans %3$.30s" - - #, c-format - msgid "" -@@ -19984,8 +19984,8 @@ msgid "" - "The glyph %1$.30s in font %2$.30s has a different number of references than " - "in %3$.30s" - msgstr "" --"Le glyphe %1$.30s de la fonte %2$.30hs a un nombre de références différent " --"dans %3$.30hs" -+"Le glyphe %1$.30s de la fonte %2$.30s a un nombre de références différent " -+"dans %3$.30s" - - #, c-format - msgid "" -@@ -20457,7 +20457,7 @@ msgstr "" - #, c-format - msgid "The outlines of glyph %2$.30s were not found in the font %1$.60s" - msgstr "" --"Le contours du glyphe %2$.30s n'ont pas été trouvés dans la police %1$.60hs" -+"Le contours du glyphe %2$.30s n'ont pas été trouvés dans la police %1$.60s" - - msgid "The paths that make up this glyph intersect one another" - msgstr "Les chemins qui composent ce glyphe se coupent les uns les autres" -@@ -21042,7 +21042,7 @@ msgstr "Il y a déjà une sous-table avec ce nom, changez de nom SVP" - - #, c-format - msgid "There is already an anchor point named %1$.40s in %2$.40s." --msgstr "Il y a déjà une ancre appelée %1$.40s dans %2$.40hs." -+msgstr "Il y a déjà une ancre appelée %1$.40s dans %2$.40s." - - msgid "There is another glyph in the font with this name" - msgstr "Il y a un autre glyphe dans la fonte avec ce nom" -@@ -21441,8 +21441,8 @@ msgid "" - "been able to find is %1$.20s-%2$.20s-%4$d.\n" - "Shall I use that or let you search?" - msgstr "" --"Cette fonte est basée sur le jeu de caractères %1$.20s-%2$.20hs-%3$d, mais " --"ce que j'ai trouvé de mieux c'est %1$.20hs-%2$.20hs-%4$d.\n" -+"Cette fonte est basée sur le jeu de caractères %1$.20s-%2$.20s-%3$d, mais " -+"ce que j'ai trouvé de mieux c'est %1$.20s-%2$.20s-%4$d.\n" - "Devrais-je utiliser cette valeur ou préférez vous chercher ?" - - msgid "" -@@ -21770,7 +21770,7 @@ msgid "" - "with a 0 offset for this combination. Would you like to alter this kerning " - "class entry (or create a kerning pair for just these two glyphs)?" - msgstr "" --"Cette paire de crénage (%.20s et %.20hs) est dans une classe de crénage\n" -+"Cette paire de crénage (%.20s et %.20s) est dans une classe de crénage\n" - "avec un déplacement de 0 pour cette combinaison. Voulez-vous modifier cette " - "partie\n" - "de la classe de crénage (ou créer une nouvelle paire rien que pour ces 2 " -@@ -24551,8 +24551,8 @@ msgid "" - "referred to.\n" - "It will not be copied." - msgstr "" --"Vous essayer de coller une référence vers %1$s dans %2$hs.\n" --"Mais %1$hs n'existe pas dans cette fonte, et FontForge ne trouve pas le " -+"Vous essayer de coller une référence vers %1$s dans %2$s.\n" -+"Mais %1$s n'existe pas dans cette fonte, et FontForge ne trouve pas le " - "glyphe auquel il se référait.\n" - "Le glyphe ne sera pas copié." - -@@ -24562,8 +24562,8 @@ msgid "" - "But %1$s does not exist in this font.\n" - "Would you like to copy the original splines (or delete the reference)?" - msgstr "" --"Vous essayer de coller une référence vers %1$s dans %2$hs.\n" --"Mais %1$hs n'existe pas dans cette fonte.\n" -+"Vous essayer de coller une référence vers %1$s dans %2$s.\n" -+"Mais %1$s n'existe pas dans cette fonte.\n" - "Voulez vous copier le contour d'origine (ou supprimer la référence)?" - - msgid "" -diff --git a/po/it.po b/po/it.po -index e13711485c..d0c3ea9873 100644 ---- a/po/it.po -+++ b/po/it.po -@@ -2303,7 +2303,7 @@ msgid "" - "Reverting the file will lose those changes.\n" - "Is that what you want?" - msgstr "" --"Il font %1$.40s nel file %2$.40hs è stato modificato.\n" -+"Il font %1$.40s nel file %2$.40s è stato modificato.\n" - "Ripristinando il file perderai tutte le modifiche.\n" - "È quello che vuoi fare?" - -@@ -5835,7 +5835,7 @@ msgid "" - "The glyph %1$.30s has a different number of contours in font %2$.30s than in " - "%3$.30s" - msgstr "" --"Il glifo %1$.30s ha un diverso numero di contorni nel font %2$.30hs rispetto " -+"Il glifo %1$.30s ha un diverso numero di contorni nel font %2$.30s rispetto " - "a %3$.30s" - - #, c-format -@@ -6235,8 +6235,8 @@ msgid "" - "been able to find is %1$.20s-%2$.20s-%4$d.\n" - "Shall I use that or let you search?" - msgstr "" --"Questo font è basato sulla codifica di caratteri %1$.20s-%2$.20hs-%3$d, ma " --"il migliore che io abbia trovato è %1$.20hs-%2$.20hs-%4$d.\n" -+"Questo font è basato sulla codifica di caratteri %1$.20s-%2$.20s-%3$d, ma " -+"il migliore che io abbia trovato è %1$.20s-%2$.20s-%4$d.\n" - "Devo usare questo valore o preferisci cercare tu stesso?" - - msgid "" diff --git a/fontforge-20230101.tar.gz b/fontforge-20251009.tar.xz similarity index 32% rename from fontforge-20230101.tar.gz rename to fontforge-20251009.tar.xz index 2e65222..69275e6 100644 --- a/fontforge-20230101.tar.gz +++ b/fontforge-20251009.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:ab0c4be41be15ce46a1be1482430d8e15201846269de89df67db32c7de4343f1 -size 17506443 +oid sha256:69046500185a5581b58139dfad30c0b3d8128f00ebbfddc31f2fcf877e329e52 +size 14032824 diff --git a/fontforge.spec b/fontforge.spec index 9ad3a28..dd90ef6 100644 --- a/fontforge.spec +++ b/fontforge.spec @@ -1,24 +1,21 @@ %undefine __cmake_in_source_build %global gettext_package FontForge -%global gittag0 20230101 Name: fontforge -Version: 20230101 -Release: 5 +Version: 20251009 +Release: 1 Summary: Outline and bitmap font editor License: GPL-3.0-or-later URL: https://fontforge.github.io/ -Source0: https://github.com/fontforge/%{name}/archive/%{gittag0}.tar.gz#/%{name}-%{version}.tar.gz -Patch0: Fix-errors-in-French-and-Italian-translations.patch -# https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429 -Patch1: CVE-2024-25081_CVE-2024-25082.patch +Source0: https://github.com/fontforge/fontforge/releases/download/%{version}/%{name}-%{version}.tar.xz Requires: xdg-utils potrace hicolor-icon-theme BuildRequires: gcc-c++ cmake libjpeg-devel libtiff-devel libpng-devel giflib-devel libxml2-devel BuildRequires: freetype-devel desktop-file-utils libuninameslist-devel libXt-devel xorg-x11-proto-devel -BuildRequires: gettext pango-devel cairo-devel libspiro-devel python3-devel readline-devel +BuildRequires: gettext libspiro-devel python3-devel readline-devel BuildRequires: /usr/bin/appstreamcli woff2-devel shared-mime-info gtk3-devel python3-sphinx +BuildRequires: pkgconfig(gtkmm-3.0) %description FontForge (former PfaEdit) is a font editor for outline and bitmap @@ -48,8 +45,7 @@ This package contains documentation files for %{name}. %autosetup -n %{name}-%{version} -p1 # Remove tests that requires Internet access -sed -i '45d;82d;101d;127d' tests/CMakeLists.txt - +sed -i '/test003.pe\|test130.pe\|test0101.py\|test929.py/d' tests/CMakeLists.txt %build export CFLAGS="%{optflags} -fno-strict-aliasing" @@ -93,6 +89,9 @@ appstreamcli validate --pedantic --no-net %{buildroot}%{_metainfodir}/*.appdata. %{_mandir}/man1/*.1* %changelog +* Fri Oct 10 2025 Funda Wang - 20251009-1 +- update to 20251009 + * Wed Oct 08 2025 Funda Wang - 20230101-5 - use appstreamcli instead of appstream-util -- Gitee