Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:fonttools User: [email protected] Usertags: pu
[ Reason ] Remote code ececution bug CVE-2025-66034, see #1121605. [ Impact ] Arbitrary files can be written w with malicious user input. [ Tests ] The codepath still works with a regular designspace file. I have not tested the vulnerability by manipulating one. [ Risks ] The new code uses os.path.basename() to open the file path. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] Add upstream patch untouched to deal with the CVE-2025-66034.
diff -Nru fonttools-4.57.0/debian/changelog fonttools-4.57.0/debian/changelog --- fonttools-4.57.0/debian/changelog 2025-04-05 21:52:02.000000000 +0200 +++ fonttools-4.57.0/debian/changelog 2026-02-02 18:00:19.000000000 +0100 @@ -1,3 +1,10 @@ +fonttools (4.57.0-1+deb13u1) trixie; urgency=medium + + * Team upload. + * Apply the upstream fix for CVE-2025-66034. Closes: #1121605 + + -- Bastian Germann <[email protected]> Mon, 02 Feb 2026 18:00:20 +0100 + fonttools (4.57.0-1) unstable; urgency=medium * Team upload. diff -Nru fonttools-4.57.0/debian/patches/0005-CVE-2025-66034.patch fonttools-4.57.0/debian/patches/0005-CVE-2025-66034.patch --- fonttools-4.57.0/debian/patches/0005-CVE-2025-66034.patch 1970-01-01 01:00:00.000000000 +0100 +++ fonttools-4.57.0/debian/patches/0005-CVE-2025-66034.patch 2026-02-02 17:43:47.000000000 +0100 @@ -0,0 +1,64 @@ +Origin: upstream, a696d5ba93270d5954f98e7cab5ddca8a02c1e32 +From: Cosimo Lupo <[email protected]> +Date: Fri, 21 Nov 2025 17:07:53 +0000 +Subject: varLib: only use the basename(vf.filename) + +Fontmake already does that since the beginning: +https://github.com/googlefonts/fontmake/blob/35e9e5dbdf2130a04c54688bb1bdbcfdb4b5fc67/Lib/fontmake/font_project.py#L438 + +it's safer to disallow path traversal as it may lead to abritrary file write vulnerability, see https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv +--- + Doc/source/designspaceLib/xml.rst | 5 +++++ + Lib/fontTools/designspaceLib/__init__.py | 5 +++++ + Lib/fontTools/varLib/__init__.py | 6 +++++- + 3 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/Doc/source/designspaceLib/xml.rst b/Doc/source/designspaceLib/xml.rst +index f5645b8ca4..6896f49e25 100644 +--- a/Doc/source/designspaceLib/xml.rst ++++ b/Doc/source/designspaceLib/xml.rst +@@ -752,6 +752,11 @@ The ``<variable-fonts>`` element contains one or more ``<variable-font>`` elemen + `.ttf`) and the build tools can replace that extension with another (e.g. + `.otf` or `.woff2`) as needed. + ++ .. note:: ++ This is intended to be a simple filename (basename or stem) only, not ++ an absolute or relative path. Build tools will only use the basename ++ component and ignore any directory separators for security reasons. ++ + .. rubric:: Example + + .. code:: xml +diff --git a/Lib/fontTools/designspaceLib/__init__.py b/Lib/fontTools/designspaceLib/__init__.py +index 661f3405da..0996e7b69e 100644 +--- a/Lib/fontTools/designspaceLib/__init__.py ++++ b/Lib/fontTools/designspaceLib/__init__.py +@@ -1323,6 +1323,11 @@ def __init__(self, *, name, filename=None, axisSubsets=None, lib=None): + in the document**. The file may or may not exist. + + If not specified, the :attr:`name` will be used as a basename for the file. ++ ++ .. note:: ++ This is intended to be a simple filename (basename or stem) only. ++ Build tools will only use the basename component and ignore any ++ directory separators for security reasons. + """ + self.axisSubsets: List[ + Union[RangeAxisSubsetDescriptor, ValueAxisSubsetDescriptor] +diff --git a/Lib/fontTools/varLib/__init__.py b/Lib/fontTools/varLib/__init__.py +index fd0875567c..c19bd15158 100644 +--- a/Lib/fontTools/varLib/__init__.py ++++ b/Lib/fontTools/varLib/__init__.py +@@ -1562,7 +1562,11 @@ def main(args=None): + vf_name_to_output_path[vfs_to_build[0].name] = options.outfile + else: + for vf in vfs_to_build: +- filename = vf.filename if vf.filename is not None else vf.name + ".{ext}" ++ if vf.filename is not None: ++ # Only use basename to prevent path traversal attacks ++ filename = os.path.basename(vf.filename) ++ else: ++ filename = vf.name + ".{ext}" + vf_name_to_output_path[vf.name] = os.path.join(output_dir, filename) + + finder = MasterFinder(options.master_finder) diff -Nru fonttools-4.57.0/debian/patches/series fonttools-4.57.0/debian/patches/series --- fonttools-4.57.0/debian/patches/series 2025-04-05 21:50:48.000000000 +0200 +++ fonttools-4.57.0/debian/patches/series 2026-02-02 17:45:05.000000000 +0100 @@ -2,3 +2,4 @@ 0002-keep-doctest-compatible-with-Unicode-15.1.patch Skip-test-on-i386-that-fails-because-of-excess-precision.patch 0004-Disable-new-tests-related-to-unicode-16.0.patch +0005-CVE-2025-66034.patch
