Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:fonttools
User: [email protected]
Usertags: pu

[ Reason ]
Security update for CVE-2023-45139 and CVE-2025-66034.

[ Impact ]
Arbitrary files can be written with malicious user input.

XML External Entity Injection allows for inclusion of arbitrary files.

[ Tests ]
The backport for CVE-2025-66034 has been checked with the PoC at
https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv

The CVE-2025-66034 patch is untested for fixing the CVE but checked for
correct syntax.

[ Risks ]
Code is trivial (one conditional fine name sanitization and one
additional function parameter.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Use two upstream patches (one of them backported) to fix the CVEs.
diff -Nru fonttools-4.38.0/debian/changelog fonttools-4.38.0/debian/changelog
--- fonttools-4.38.0/debian/changelog   2023-01-11 20:03:00.000000000 +0100
+++ fonttools-4.38.0/debian/changelog   2026-02-02 18:10:45.000000000 +0100
@@ -1,3 +1,11 @@
+fonttools (4.38.0-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Backport the upstream fix for CVE-2025-66034. Closes: #1121605
+  * Apply the upstream fix for CVE-2023-45139.
+
+ -- Bastian Germann <[email protected]>  Mon, 02 Feb 2026 18:10:45 +0100
+
 fonttools (4.38.0-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru fonttools-4.38.0/debian/patches/0002-CVE-2025-66034.patch 
fonttools-4.38.0/debian/patches/0002-CVE-2025-66034.patch
--- fonttools-4.38.0/debian/patches/0002-CVE-2025-66034.patch   1970-01-01 
01:00:00.000000000 +0100
+++ fonttools-4.38.0/debian/patches/0002-CVE-2025-66034.patch   2026-02-02 
18:10:45.000000000 +0100
@@ -0,0 +1,59 @@
+Origin: backport, a696d5ba93270d5954f98e7cab5ddca8a02c1e32
+From: Cosimo Lupo <[email protected]>
+Date: Fri, 21 Nov 2025 17:07:53 +0000
+Subject: designspaceLib: only use the basename of variable font filename
+
+Backported for fonttools 4.38.0.
+Sanitize the filename when reading from the designspace XML to prevent
+path traversal attacks that could lead to arbitrary file write.
+
+See 
https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv
+---
+ Doc/source/designspaceLib/xml.rst        |  5 +++++
+ Lib/fontTools/designspaceLib/__init__.py | 10 +++++++++-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/Doc/source/designspaceLib/xml.rst 
b/Doc/source/designspaceLib/xml.rst
+index f5645b8c..6896f49e 100644
+--- a/Doc/source/designspaceLib/xml.rst
++++ b/Doc/source/designspaceLib/xml.rst
+@@ -680,6 +680,11 @@ The ``<variable-fonts>`` element contains one or more 
``<variable-font>`` elemen
+   `.ttf`) and the build tools can replace that extension with another (e.g.
+   `.otf` or `.woff2`) as needed.
+ 
++  .. note::
++     This is intended to be a simple filename (basename or stem) only, not
++     an absolute or relative path. Build tools will only use the basename
++     component and ignore any directory separators for security reasons.
++
+ .. rubric:: Example
+ 
+ .. code:: xml
+diff --git a/Lib/fontTools/designspaceLib/__init__.py 
b/Lib/fontTools/designspaceLib/__init__.py
+index 12345678..87654321 100644
+--- a/Lib/fontTools/designspaceLib/__init__.py
++++ b/Lib/fontTools/designspaceLib/__init__.py
+@@ -1210,6 +1210,11 @@ class VariableFontDescriptor(SimpleDescriptor):
+         in the document**. The file may or may not exist.
+ 
+         If not specified, the :attr:`name` will be used as a basename for the 
file.
++
++        .. note::
++            This is intended to be a simple filename (basename or stem) only.
++            Build tools will only use the basename component and ignore any
++            directory separators for security reasons.
+         """
+         self.axisSubsets: List[Union[RangeAxisSubsetDescriptor, 
ValueAxisSubsetDescriptor]] = axisSubsets or []
+         """Axis subsets to include in this variable font.
+@@ -1986,7 +1991,10 @@ class BaseDocReader(LogMixin):
+             if name is None:
+                 raise DesignSpaceDocumentError("variable-font element must 
have a name attribute.")
+ 
+-            filename = variableFontElement.get("filename")
++            # Only use basename to prevent path traversal attacks 
(CVE-2025-66034)
++            filename = variableFontElement.get("filename")
++            if filename is not None:
++                filename = os.path.basename(filename)
+ 
+             axisSubsetsElement = variableFontElement.find(".axis-subsets")
+             if axisSubsetsElement is None:
diff -Nru fonttools-4.38.0/debian/patches/0003-CVE-2023-45139.patch 
fonttools-4.38.0/debian/patches/0003-CVE-2023-45139.patch
--- fonttools-4.38.0/debian/patches/0003-CVE-2023-45139.patch   1970-01-01 
01:00:00.000000000 +0100
+++ fonttools-4.38.0/debian/patches/0003-CVE-2023-45139.patch   2026-02-02 
18:10:45.000000000 +0100
@@ -0,0 +1,24 @@
+Origin: upstream, 9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c
+From: Cosimo Lupo <[email protected]>
+Date: Fri, 15 Sep 2023 16:50:38 +0200
+Subject: subset: parse OT-SVG with resolve_entities=False
+
+to guard against XXE attacks as recommended in 
https://codeql.github.com/codeql-query-help/python/py-xxe/
+---
+ Lib/fontTools/subset/svg.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Lib/fontTools/subset/svg.py b/Lib/fontTools/subset/svg.py
+index f6d74a4002..2e55bf54c0 100644
+--- a/Lib/fontTools/subset/svg.py
++++ b/Lib/fontTools/subset/svg.py
+@@ -225,6 +225,9 @@ def subset_glyphs(self, s) -> bool:
+                 # ignore blank text as it's not meaningful in OT-SVG; it also 
prevents
+                 # dangling tail text after removing an element when 
pretty_print=True
+                 remove_blank_text=True,
++                # don't replace entities; we don't expect any in OT-SVG and 
they may
++                # aboused for XXE attacks
++                resolve_entities=False,
+             ),
+         )
+ 
diff -Nru fonttools-4.38.0/debian/patches/series 
fonttools-4.38.0/debian/patches/series
--- fonttools-4.38.0/debian/patches/series      2022-10-17 02:47:59.000000000 
+0200
+++ fonttools-4.38.0/debian/patches/series      2026-02-02 18:10:45.000000000 
+0100
@@ -1 +1,3 @@
 0001-add-module-path-for-automodule-directive.patch
+0002-CVE-2025-66034.patch
+0003-CVE-2023-45139.patch

Reply via email to