Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:fonttools User: [email protected] Usertags: pu
[ Reason ] Security update for CVE-2023-45139 and CVE-2025-66034. [ Impact ] Arbitrary files can be written with malicious user input. XML External Entity Injection allows for inclusion of arbitrary files. [ Tests ] The backport for CVE-2025-66034 has been checked with the PoC at https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv The CVE-2025-66034 patch is untested for fixing the CVE but checked for correct syntax. [ Risks ] Code is trivial (one conditional fine name sanitization and one additional function parameter. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Use two upstream patches (one of them backported) to fix the CVEs.
diff -Nru fonttools-4.38.0/debian/changelog fonttools-4.38.0/debian/changelog --- fonttools-4.38.0/debian/changelog 2023-01-11 20:03:00.000000000 +0100 +++ fonttools-4.38.0/debian/changelog 2026-02-02 18:10:45.000000000 +0100 @@ -1,3 +1,11 @@ +fonttools (4.38.0-1+deb12u1) bookworm; urgency=medium + + * Team upload. + * Backport the upstream fix for CVE-2025-66034. Closes: #1121605 + * Apply the upstream fix for CVE-2023-45139. + + -- Bastian Germann <[email protected]> Mon, 02 Feb 2026 18:10:45 +0100 + fonttools (4.38.0-1) unstable; urgency=medium * Team upload. diff -Nru fonttools-4.38.0/debian/patches/0002-CVE-2025-66034.patch fonttools-4.38.0/debian/patches/0002-CVE-2025-66034.patch --- fonttools-4.38.0/debian/patches/0002-CVE-2025-66034.patch 1970-01-01 01:00:00.000000000 +0100 +++ fonttools-4.38.0/debian/patches/0002-CVE-2025-66034.patch 2026-02-02 18:10:45.000000000 +0100 @@ -0,0 +1,59 @@ +Origin: backport, a696d5ba93270d5954f98e7cab5ddca8a02c1e32 +From: Cosimo Lupo <[email protected]> +Date: Fri, 21 Nov 2025 17:07:53 +0000 +Subject: designspaceLib: only use the basename of variable font filename + +Backported for fonttools 4.38.0. +Sanitize the filename when reading from the designspace XML to prevent +path traversal attacks that could lead to arbitrary file write. + +See https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv +--- + Doc/source/designspaceLib/xml.rst | 5 +++++ + Lib/fontTools/designspaceLib/__init__.py | 10 +++++++++- + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/Doc/source/designspaceLib/xml.rst b/Doc/source/designspaceLib/xml.rst +index f5645b8c..6896f49e 100644 +--- a/Doc/source/designspaceLib/xml.rst ++++ b/Doc/source/designspaceLib/xml.rst +@@ -680,6 +680,11 @@ The ``<variable-fonts>`` element contains one or more ``<variable-font>`` elemen + `.ttf`) and the build tools can replace that extension with another (e.g. + `.otf` or `.woff2`) as needed. + ++ .. note:: ++ This is intended to be a simple filename (basename or stem) only, not ++ an absolute or relative path. Build tools will only use the basename ++ component and ignore any directory separators for security reasons. ++ + .. rubric:: Example + + .. code:: xml +diff --git a/Lib/fontTools/designspaceLib/__init__.py b/Lib/fontTools/designspaceLib/__init__.py +index 12345678..87654321 100644 +--- a/Lib/fontTools/designspaceLib/__init__.py ++++ b/Lib/fontTools/designspaceLib/__init__.py +@@ -1210,6 +1210,11 @@ class VariableFontDescriptor(SimpleDescriptor): + in the document**. The file may or may not exist. + + If not specified, the :attr:`name` will be used as a basename for the file. ++ ++ .. note:: ++ This is intended to be a simple filename (basename or stem) only. ++ Build tools will only use the basename component and ignore any ++ directory separators for security reasons. + """ + self.axisSubsets: List[Union[RangeAxisSubsetDescriptor, ValueAxisSubsetDescriptor]] = axisSubsets or [] + """Axis subsets to include in this variable font. +@@ -1986,7 +1991,10 @@ class BaseDocReader(LogMixin): + if name is None: + raise DesignSpaceDocumentError("variable-font element must have a name attribute.") + +- filename = variableFontElement.get("filename") ++ # Only use basename to prevent path traversal attacks (CVE-2025-66034) ++ filename = variableFontElement.get("filename") ++ if filename is not None: ++ filename = os.path.basename(filename) + + axisSubsetsElement = variableFontElement.find(".axis-subsets") + if axisSubsetsElement is None: diff -Nru fonttools-4.38.0/debian/patches/0003-CVE-2023-45139.patch fonttools-4.38.0/debian/patches/0003-CVE-2023-45139.patch --- fonttools-4.38.0/debian/patches/0003-CVE-2023-45139.patch 1970-01-01 01:00:00.000000000 +0100 +++ fonttools-4.38.0/debian/patches/0003-CVE-2023-45139.patch 2026-02-02 18:10:45.000000000 +0100 @@ -0,0 +1,24 @@ +Origin: upstream, 9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c +From: Cosimo Lupo <[email protected]> +Date: Fri, 15 Sep 2023 16:50:38 +0200 +Subject: subset: parse OT-SVG with resolve_entities=False + +to guard against XXE attacks as recommended in https://codeql.github.com/codeql-query-help/python/py-xxe/ +--- + Lib/fontTools/subset/svg.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/Lib/fontTools/subset/svg.py b/Lib/fontTools/subset/svg.py +index f6d74a4002..2e55bf54c0 100644 +--- a/Lib/fontTools/subset/svg.py ++++ b/Lib/fontTools/subset/svg.py +@@ -225,6 +225,9 @@ def subset_glyphs(self, s) -> bool: + # ignore blank text as it's not meaningful in OT-SVG; it also prevents + # dangling tail text after removing an element when pretty_print=True + remove_blank_text=True, ++ # don't replace entities; we don't expect any in OT-SVG and they may ++ # aboused for XXE attacks ++ resolve_entities=False, + ), + ) + diff -Nru fonttools-4.38.0/debian/patches/series fonttools-4.38.0/debian/patches/series --- fonttools-4.38.0/debian/patches/series 2022-10-17 02:47:59.000000000 +0200 +++ fonttools-4.38.0/debian/patches/series 2026-02-02 18:10:45.000000000 +0100 @@ -1 +1,3 @@ 0001-add-module-path-for-automodule-directive.patch +0002-CVE-2025-66034.patch +0003-CVE-2023-45139.patch

