Source: fonttools Version: 4.57.0-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 4.57.0-1
Hi, The following vulnerability was published for fonttools. CVE-2025-66034[0]: | fontTools is a library for manipulating fonts, written in Python. In | versions from 4.33.0 to before 4.60.2, the fonttools varLib (or | python3 -m fontTools.varLib) script has an arbitrary file write | vulnerability that leads to remote code execution when a malicious | .designspace file is processed. The vulnerability affects the main() | code path of fontTools.varLib, used by the fonttools varLib CLI and | any code that invokes fontTools.varLib.main(). This issue has been | patched in version 4.60.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-66034 https://www.cve.org/CVERecord?id=CVE-2025-66034 [1] https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv [2] https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
