Thx Sean for this answer, so it's really sad to understand it's bugged and system/browser can be compromised by those fonts :s
So I'm starting to be anxious when I think about all fonts downloaded on websites (like www.dafont.com ) and added on the system, sometimes Windows, usually Debian, to use it with Gimp and sometimes inside other softwares... :ss Those websites can be a nice way for bad guyz to distribute those bugged fonts so :'(
Buh! And no way to know if a font is bugged or not ? When using it inside Gimp for example, no remote execution or something similar can be done ? Like Firefox in your exemple ? (kernel powned in Windows, resulting as a BSOD is not really a big problem on my eyes...)
Le 07/09/2017 à 00:31, Sean Lynch a écrit :
I would not assume Linux is safe. Font engines are complex beasts, giving security bugs plenty of places to hide. Freetype has had 22 vulnerabilities discovered since 2009 that could have been used to execute code, and Graphite, Firefox's current font rendering engine, has also had its share. In fact, as recently as April, Firefox had BOTH a remote execution font rendering bug *and* a sandbox escape bug that perhaps could have been combined to enable executing arbitrary code outside the sandbox.
On Wed, Sep 6, 2017 at 2:30 PM Petrusko <petrusko@riseup.net mailto:petrusko@riseup.net> wrote:
Buh! Thx Andre for your answer and the link :) Very interesting, but hard to understand for a novice. So I can see it's only Windows problem if I'm not wrong. So on a Linux machine there's no (not know) risk to enable @Font ... Thx! ;) Andre Mankel : > Downloading fonts may be dangerous although the chances are rather > low. But as always, this is subject to many circumstances. > > https://threatpost.com/of-truetype-font-vulnerabilities-and-the-windows-kernel/101263/ > > Best wishes > Andre -- Petrusko C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5 _______________________________________________ tor-users mailing list tor-users@lists.torproject.org <mailto:tor-users@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-users