I would not assume Linux is safe. Font engines are complex beasts, giving security bugs plenty of places to hide. Freetype has had 22 vulnerabilities discovered since 2009 that could have been used to execute code, and Graphite, Firefox's current font rendering engine, has also had its share. In fact, as recently as April, Firefox had BOTH a remote execution font rendering bug *and* a sandbox escape bug that perhaps could have been combined to enable executing arbitrary code outside the sandbox.

On Wed, Sep 6, 2017 at 2:30 PM Petrusko <petrusko@riseup.net> wrote:
Buh! Thx Andre for your answer and the link :)
Very interesting, but hard to understand for a novice. So I can see it's
only Windows problem if I'm not wrong.
So on a Linux machine there's no (not know) risk to enable @Font ...

Thx! ;)


Andre Mankel :
> Downloading fonts may be dangerous although the chances are rather
> low. But as always, this is subject to many circumstances.
>
> https://threatpost.com/of-truetype-font-vulnerabilities-and-the-windows-kernel/101263/
>
> Best wishes
> Andre

--
Petrusko
C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5


_______________________________________________
tor-users mailing list
tor-users@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-users