CVE-2024-25081: 
NixOS vulnerability analysis and mitigation

CVE-2024-25081 affects Splinefont in FontForge through version 20230101, allowing command injection attacks via crafted filenames. The vulnerability was discovered and disclosed in February 2024, impacting FontForge installations across multiple operating systems and distributions (NVD, Debian).

The vulnerability is classified as a command injection vulnerability (CWE-77) with a CVSS v3.1 base score of 4.2 (Medium). The issue stems from FontForge's use of the system() function to execute commands for unpacking fonts from archives, where both the archive name and font file specified inside the archive are passed as command line arguments without proper sanitization (OSS Security).

When exploited, this vulnerability could allow attackers to execute arbitrary commands on the target system through specially crafted filenames. The impact is somewhat limited by the local access requirement and high attack complexity, but could potentially lead to unauthorized access, data manipulation, or system compromise (NVD).

A patch has been developed and merged upstream that switches from using system() to glib's g_spawn_sync() function, which provides safer command execution without shell interpretation. The fix was merged on February 6, 2024, through pull request #5367. Various distributions have released security updates incorporating this fix, including Debian, Ubuntu, and Fedora (GitHub PR, Debian LTS).

The vulnerability was documented in detail in a blog post titled 'Fonts are still a helvetica of a problem' on Canva's engineering blog, which discussed this vulnerability along with other font-handling security issues. The security community has responded by quickly implementing fixes across various distributions (OSS Security).