Your message dated Tue, 03 Mar 2026 20:47:08 +0000
with message-id <[email protected]>
and subject line Bug#1121605: fixed in fonttools 4.57.0-1+deb13u1
has caused the Debian Bug report #1121605,
regarding fonttools: CVE-2025-66034
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121605: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121605
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: fonttools
Version: 4.57.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 4.57.0-1
Hi,
The following vulnerability was published for fonttools.
CVE-2025-66034[0]:
| fontTools is a library for manipulating fonts, written in Python. In
| versions from 4.33.0 to before 4.60.2, the fonttools varLib (or
| python3 -m fontTools.varLib) script has an arbitrary file write
| vulnerability that leads to remote code execution when a malicious
| .designspace file is processed. The vulnerability affects the main()
| code path of fontTools.varLib, used by the fonttools varLib CLI and
| any code that invokes fontTools.varLib.main(). This issue has been
| patched in version 4.60.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-66034
https://www.cve.org/CVERecord?id=CVE-2025-66034
[1]
https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv
[2]
https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: fonttools
Source-Version: 4.57.0-1+deb13u1
Done: Bastian Germann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
fonttools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Germann <[email protected]> (supplier of updated fonttools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 02 Feb 2026 18:00:20 +0100
Source: fonttools
Architecture: source
Version: 4.57.0-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Fonts Task Force <[email protected]>
Changed-By: Bastian Germann <[email protected]>
Closes: 1121605
Changes:
fonttools (4.57.0-1+deb13u1) trixie; urgency=medium
.
* Team upload.
* Apply the upstream fix for CVE-2025-66034. Closes: #1121605
Checksums-Sha1:
7330a0d0b68ac155ea04d41a03e5a4d6f36cc729 3176 fonttools_4.57.0-1+deb13u1.dsc
1b1a26548777c459ba4fc14da6091b6008a0e3ba 2678472 fonttools_4.57.0.orig.tar.xz
9d0d6a5a14d038e173658bf866d3faf328a1aab8 14436
fonttools_4.57.0-1+deb13u1.debian.tar.xz
df72e1d61b51dba1781c8d6682cd1f7f2a2c56c6 8086
fonttools_4.57.0-1+deb13u1_source.buildinfo
Checksums-Sha256:
05f4aee99a75a83d5c3d69920dbac0f82aef99eda0e7940f60570427ba2c4c8f 3176
fonttools_4.57.0-1+deb13u1.dsc
46b96a86e9f789b7c9d37794012a7224dde5f49a3a0b1eca599d1d86d54f3a34 2678472
fonttools_4.57.0.orig.tar.xz
971f55a5f3a91effa74d403481e2dcd7a594f3e2b31c11b2870c0e7024f17387 14436
fonttools_4.57.0-1+deb13u1.debian.tar.xz
3b6e417f5cadbbdcfe957814603689a3606550ba27ee4562aa6d486809cc6737 8086
fonttools_4.57.0-1+deb13u1_source.buildinfo
Files:
2b051056e7f785bdf090246399c540af 3176 devel optional
fonttools_4.57.0-1+deb13u1.dsc
024d51578d9f731ea78bf634cefe3181 2678472 devel optional
fonttools_4.57.0.orig.tar.xz
475b750f5f72c33b75a156de02ddaca5 14436 devel optional
fonttools_4.57.0-1+deb13u1.debian.tar.xz
3672c845c4c4b99aae0c0dd9f7194f76 8086 devel optional
fonttools_4.57.0-1+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmmkXQUQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFB8zC/94JaMrHqBn52EfzgF7NDvXIDZn4JVmJA2K
kkQaynlMC2wDRtoeUhiX9APjLEyYPI3WSLsTrQGvzHa168QXgGu2Sps1/GZhbvpW
wuVKqCJ+4LHARU0+Y8UoN+6Mkc5Q4FAKhRtwTOrpw37mMHyp3i7tPVuW+JTqIXjy
xw3KYVtE4nzYTzJ7rXjBtaIywt5xmYYkvWXLNAviVy774vcloUYVcGII7jFbsIIz
vjTzYOduJlLar7TOy8w/B6Os4vpQZZ5iINLE3hffyArPRHcJUcTMW7r+1POOwaV5
pwO2NrpvJ7y0HP4/yCfAQlOupqtHSnqjZFn1ypCnVhulz9IxYZ/S59OfJxulcXjs
qe1aNavUCwn713H0gfBJhItLu/n7cwsbhPbfzZ9dkCnDQCLNFThYEdArgKanXOs4
IRFymNnPy8DbjNtyRAD6To5rG1fZK/gOLo01fQW2Q1g+DKoivhyo+5+uoZIL8r9G
ffZwNTSb3/6CagPRiMFCn3HPXA3aHkY=
=0w2V
-----END PGP SIGNATURE-----
pgpYM9X6duY7d.pgp
Description: PGP signature
--- End Message ---
