<div class="container">
<h1>Security update for fontforge</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:20435-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-02-14T21:30:01Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252652">bsc#1252652</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1256013">bsc#1256013</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1256025">bsc#1256025</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1256032">bsc#1256032</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-14507">jsc#PED-14507</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-15269.html">CVE-2025-15269</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-15275.html">CVE-2025-15275</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-15279.html">CVE-2025-15279</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-50949.html">CVE-2025-50949</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-15269</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-15269</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.8</span>
<span class="cvss-vector">CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-15275</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-15275</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.8</span>
<span class="cvss-vector">CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-15279</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.8</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-15279</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.8</span>
<span class="cvss-vector">CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-50949</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">4.8</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-50949</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">3.3</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-50949</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Server 16.0</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 16.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves four vulnerabilities and contains one feature can now be installed.</p>
<h2>Description:</h2>
<p>This update for fontforge fixes the following issues:</p>
<p>Update to version 20251009.</p>
<p>Security issues fixed:</p>
<ul>
<li>CVE-2025-15279: remote code execution via heap-based buffer overflow in BMP file parsing (bsc#1256013).</li>
<li>CVE-2025-15269: remote code execution via use-after-free in SFD file parsing (bsc#1256032).</li>
<li>CVE-2025-15275: arbitrary code execution via SFD file parsing buffer overflow (bsc#1256025).</li>
<li>CVE-2025-50949: memory leak in function DlgCreate8 (bsc#1252652).</li>
</ul>
<p>Other updates and bugfixes:</p>
<ul>
<li>fix multiple crashes in Multiple Masters.</li>
<li>fix crash for content over 32767 characters in GDraw multiline text field.</li>
<li>fix crash on Up/Down</li>
<li>fix crash in Metrics View.</li>
<li>fix UFO crash for empty contours.</li>
<li>
<p>fix crash issue in allmarkglyphs.</p>
</li>
<li>
<p>Version update to 20251009:</p>
</li>
<li>
<p>Update documentation for py scripts (#5180)</p>
</li>
<li>Update GitHub CI runners (#5328)</li>
<li>Update po files from Croudin sources. (#5330)</li>
<li>Use consistent Python in MacOS GitHub runner (#5331)</li>
<li>Fix CI for Windows GitHub runner (#5335)</li>
<li>Fix lookup flags parsing (#5338)</li>
<li>Fixes (#5332): glyph file names uXXXXX (#5333)</li>
<li>make harmonization robust and avoid zero handles after harmonization (#5262)</li>
<li>Quiet strict prototypes warnings. (#5313)</li>
<li>Fix crash in parsegvar() due to insufficient buffer (#5339)</li>
<li>Handle failed iconv conversion. Unhandled execution path was UB, causing a segfault for me (#5329)</li>
<li>Fix CMake function _get_git_version() (#5342)</li>
<li>Don't require individual tuple encapsulation in fontforge.font.bitmapSizes setter (#5138)</li>
<li>nltransform of anchor points (#5345)</li>
<li>Fix generateFontPostHook being called instead of generateFontPreHook (#5226)</li>
<li>Always set usDefaultChar to 0 (.notdef) (#5242)</li>
<li>add font attributes, method to Python docs (#5353)</li>
<li>fix segfault triggered by Python del c[i:j] (#5352)</li>
<li>Autoselect internal WOFF2 format (#5346)</li>
<li>Fix typos in the FAQ (#5355)</li>
<li>add font.style_set_names attribute to Python API (#5354)</li>
<li>Bulk tester (#5365)</li>
<li>Fix Splinefont shell invocation (#5367)</li>
<li>Fix the lists of Windows language IDs (#5359)</li>
<li>Support suplementary planes in SFD (emojis etc.) (#5364)</li>
<li>Remove psaltnames for multi-code-point names (#5305)</li>
<li>doc: added missing sudo to installation instructions (#5300)</li>
<li>Fix data corruption on SFD reading (#5380)</li>
<li>Compare vertical metrics check when generating TTC (#5372)</li>
<li>Treat FT_PIXEL_MODE_MONO as 2 grey levels (#5379)</li>
<li>Don't attempt to copy anchors into NULL font (#5405)</li>
<li>Fix export of supplementary plane characters in font name to TTF (#5396)</li>
<li>Defer crowdin update to the end of the pipeline (#5409)</li>
<li>Fix generated feature file bugs (#5384)</li>
<li>crowdin: update to java 17 (#5447)</li>
<li>Remove assert from Python script processor (#5410)</li>
<li>Use sysconfig for Python module locations (#5423)</li>
<li>Use PyConfig API on Python 3.8 (#5404)</li>
<li>Fix resource leak in unParseTTInstrs (#5476)</li>
<li>Only install GUI-specific files if ENABLE_GUI is set (#5451)</li>
<li>add math device tables to Python API (#5348)</li>
<li>Update CI runner to macOS 13 (#5482)</li>
<li>Allow hyphen and special characters in Feature File glyph names (#5358)</li>
<li>Fix Python font.appendSFNTName() function (#5494)</li>
<li>Update mm.c (#5386)</li>
<li>Warning rollup (probably some hidden bugs!) from clang trunk (#5492)</li>
<li>Fix function PyFFFont_addSmallCaps. (#5519)</li>
<li>Make SmallCaps() create symbols (#5517)</li>
<li>Segfault fix and complete implementation of "Don't generate FFTM tables" (#5509)</li>
<li>Modernize fixed pitch flag computation (#5506)</li>
<li>fix memleak in function utf7toutf8_copy (#5495)</li>
<li>Avoid crashes in Python scripts when objects are accessed in invalid state (#5483)</li>
<li>Fix CI for Ubuntu 24 (#5531)</li>
<li>Bump GitHub CI runner to Ubuntu 22 (#5551)</li>
<li>Fix memory corruption in SFUnicodeRanges() (#5537)</li>
<li>Add contour draw option to H.Metrics. (#5496)</li>
<li>Fix scaling of references in CharView (#5558)</li>
<li>Fix TTF validation on load for fixed pitch fonts (#5562)</li>
<li>Performance fixes for GSUB/GPOS dumps (#5547)</li>
<li>Simple GTK-based dialog with CSS appearance support (#5546)</li>
<li>Support Harfbuzz in Metrics View (#5522)</li>
<li>Update po files from crowdin translations (#5575)</li>
<li>Be more clever about label text in gtextfield (#5583)</li>
<li>Add minimal support for GDEF version 1.3 (#5584)</li>
<li>Sanitize messages from python (#5589)</li>
<li>Fix a crash caused by deleting a glyph with vertical kerning pairs. (#5592)</li>
<li>THEME -> GUI_THEME (#5596)</li>
<li>Update po translations from Crowdin (#5593)</li>
<li>Upgrade to Unicode 16.0.0 (#5594)</li>
<li>Fix Linux AppImage (#5599)</li>
<li>Upgrade to Unicode 17.0.0 and extend the language and script lists (#5618)</li>
<li>Remove X11 and non-Cairo drawing backends (#5612)</li>
<li>Add macOS dependency setup script (#5563)</li>
<li>Fix hotkeys in BitmapView (#5626)</li>
<li>Manually install Inno Setup 6 (#5621)</li>
<li>Remove cv->back_img_out_of_date and cv->backimgs (#5625)</li>
<li>fix spelling "bt" -> "but" (#5636)</li>
<li>
<p>Fix typos in Python module docs (#5634)</p>
</li>
<li>
<p>Version update to 20230101+git59.770356c9b:</p>
</li>
<li>
<p>Add contour draw option to H.Metrics. (#5496)</p>
</li>
<li>Fix memory corruption in SFUnicodeRanges() (#5537)</li>
<li>Bump GitHub CI runner to Ubuntu 22 (#5551)</li>
<li>Fix CI for Ubuntu 24 (#5531)</li>
<li>Avoid crashes in Python scripts when objects are accessed in
invalid state (#5483)</li>
<li>fix memleak in function utf7toutf8_copy (#5495)</li>
<li>Modernize fixed pitch flag computation (#5506)</li>
<li>Segfault fix and complete implementation of "Don't generate
FFTM tables" (#5509)</li>
<li>Make SmallCaps() translate symbols, too. Update
documentation accordingly. (#5517)</li>
<li>Fix function PyFFFont_addSmallCaps. (#5519)</li>
<li>Warning rollup (probably some hidden bugs!) from clang trunk
(#5492)</li>
<li>Update mm.c (#5386)</li>
<li>fix memleak in function DlgCreate8 (#5491)</li>
<li>Fix Python font.appendSFNTName() function (#5494)</li>
<li>Allow hyphen and special characters in Feature File glyph names
(#5358)</li>
<li>Update CI runner to macOS 13 (#5482)</li>
<li>add math device tables to Python API (#5348)</li>
<li>Only install GUI-specific files if ENABLE_GUI is set (#5451)</li>
<li>Fix resource leak in unParseTTInstrs (#5476)</li>
<li>Use PyConfig API on Python 3.8 (#5404)</li>
<li>Use sysconfig for Python module locations (#5423)</li>
<li>More crowdin fix</li>
<li>Python script shall trigger no asserts (#5410)</li>
<li>crowdin: update to java 17 (#5447)</li>
<li>try fix crowdin</li>
<li>Fix generated feature file bugs (#5384)</li>
<li>Defer crowdin update to the end of the pipeline (#5409)</li>
<li>Fix export of supplementary plane characters in font name to
TTF (#5396)</li>
<li>Don't attempt to copy anchors into NULL font (#5405)</li>
<li>Treat FT_PIXEL_MODE_MONO as 2 grey levels (#5379)</li>
<li>Compare vertical metrics check when generating TTC (#5372)</li>
<li>Fix data corruption on SFD reading (#5380)</li>
<li>doc: added missing sudo to installation instructions (#5300)</li>
<li>Remove <code>psaltnames</code> for multi-code-point names (#5305)</li>
<li>Support suplementary planes in SFD (emojis etc.) (#5364)</li>
<li>Fix the lists of Windows language IDs (#5359)</li>
<li>fix splinefont shell command injection (#5367)</li>
<li>Bulk tester (#5365)</li>
<li>add <code>font.style_set_names</code> attribute to Python API (#5354)</li>
<li>Fix typos in the FAQ (#5355)</li>
<li>Autoselect internal WOFF2 format (#5346)</li>
<li>fix segfault triggered by Python <code>del c[i:j]</code> (#5352)</li>
<li>add <code>font</code> attributes, method to Python docs (#5353)</li>
<li>Always set <code>usDefaultChar</code> to 0 (.notdef) (#5242)</li>
<li>Fix generateFontPostHook being called instead of
generateFontPreHook (#5226)</li>
<li>nltransform of anchor points (#5345)</li>
<li>Don't require individual tuple encapsulation in
fontforge.font.bitmapSizes setter (#5138)</li>
<li>Fix CMake function _get_git_version() (#5342)</li>
<li>Handle failed iconv conversion. Unhandled execution path was
UB, causing a segfault for me (#5329)</li>
<li>Fix crash in parsegvar() due to insufficient buffer (#5339)</li>
<li>Quiet strict prototypes warnings. (#5313)</li>
<li>harmonizing can now no longer produce zero handles, the
computation of harmonization is now numerically robust (#5262)</li>
<li>Fix glyph file names uXXXXX (#5333)</li>
<li>Fix lookup flags parsing (#5338)</li>
<li>Duplicate libfontforge.dll for "py" and "pyhook" tests. (#5335)</li>
<li>Use consistent Python in MacOS GitHub runner (#5331)</li>
<li>Update po files from Croudin sources after fixing problems</li>
<li>Fix GinHub CI runners (#5328)</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-286=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-286=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
<ul>
<li>fontforge-20251009-160000.1.1</li>
<li>fontforge-devel-20251009-160000.1.1</li>
<li>fontforge-debugsource-20251009-160000.1.1</li>
<li>fontforge-debuginfo-20251009-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 16.0 (noarch)
<ul>
<li>fontforge-doc-20251009-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 16.0 (ppc64le x86_64)
<ul>
<li>fontforge-20251009-160000.1.1</li>
<li>fontforge-devel-20251009-160000.1.1</li>
<li>fontforge-debugsource-20251009-160000.1.1</li>
<li>fontforge-debuginfo-20251009-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 16.0 (noarch)
<ul>
<li>fontforge-doc-20251009-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-15269.html">https://www.suse.com/security/cve/CVE-2025-15269.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-15275.html">https://www.suse.com/security/cve/CVE-2025-15275.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-15279.html">https://www.suse.com/security/cve/CVE-2025-15279.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-50949.html">https://www.suse.com/security/cve/CVE-2025-50949.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1252652">https://bugzilla.suse.com/show_bug.cgi?id=1252652</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1256013">https://bugzilla.suse.com/show_bug.cgi?id=1256013</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1256025">https://bugzilla.suse.com/show_bug.cgi?id=1256025</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1256032">https://bugzilla.suse.com/show_bug.cgi?id=1256032</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-14507">https://jira.suse.com/browse/PED-14507</a>
</li>
</ul>
</div>