Security update for fontforge SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:1199-1 Final 1 1 2025-04-11T08:41:11Z current 2025-04-11T08:41:11Z 2025-04-11T08:41:11Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for fontforge This update for fontforge fixes the following issues: - CVE-2017-17521: Fixed command injection in help function uiutil.c (bsc#1073014) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-1199,SUSE-SLE-Module-Desktop-Applications-15-SP6-2025-1199,openSUSE-SLE-15.6-2025-1199 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20251199-1/ Link for SUSE-SU-2025:1199-1 https://lists.suse.com/pipermail/sle-updates/2025-April/038965.html E-Mail link for SUSE-SU-2025:1199-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1073014 SUSE Bug 1073014 https://www.suse.com/security/cve/CVE-2017-17521/ SUSE CVE CVE-2017-17521 page SUSE Linux Enterprise Module for Desktop Applications 15 SP6 openSUSE Leap 15.6 fontforge-20200314-150200.3.9.1 fontforge-devel-20200314-150200.3.9.1 fontforge-doc-20200314-150200.3.9.1 fontforge-20200314-150200.3.9.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP6 fontforge-20200314-150200.3.9.1 as a component of openSUSE Leap 15.6 fontforge-devel-20200314-150200.3.9.1 as a component of openSUSE Leap 15.6 fontforge-doc-20200314-150200.3.9.1 as a component of openSUSE Leap 15.6 uiutil.c in FontForge through 20170731 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, a different vulnerability than CVE-2017-17534. CVE-2017-17521 SUSE Linux Enterprise Module for Desktop Applications 15 SP6:fontforge-20200314-150200.3.9.1 openSUSE Leap 15.6:fontforge-20200314-150200.3.9.1 openSUSE Leap 15.6:fontforge-devel-20200314-150200.3.9.1 openSUSE Leap 15.6:fontforge-doc-20200314-150200.3.9.1 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251199-1/ https://www.suse.com/security/cve/CVE-2017-17521.html CVE-2017-17521 https://bugzilla.suse.com/1073014 SUSE Bug 1073014