Your message dated Sat, 16 May 2026 11:07:42 +0000
with message-id <[email protected]>
and subject line Released with 12.14
has caused the Debian Bug report #1126864,
regarding bookworm-pu: package fonttools/4.38.0-1+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126864: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126864
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:fonttools
User: [email protected]
Usertags: pu
[ Reason ]
Security update for CVE-2023-45139 and CVE-2025-66034.
[ Impact ]
Arbitrary files can be written with malicious user input.
XML External Entity Injection allows for inclusion of arbitrary files.
[ Tests ]
The backport for CVE-2025-66034 has been checked with the PoC at
https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv
The CVE-2025-66034 patch is untested for fixing the CVE but checked for
correct syntax.
[ Risks ]
Code is trivial (one conditional fine name sanitization and one
additional function parameter.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Use two upstream patches (one of them backported) to fix the CVEs.
diff -Nru fonttools-4.38.0/debian/changelog fonttools-4.38.0/debian/changelog
--- fonttools-4.38.0/debian/changelog 2023-01-11 20:03:00.000000000 +0100
+++ fonttools-4.38.0/debian/changelog 2026-02-02 18:10:45.000000000 +0100
@@ -1,3 +1,11 @@
+fonttools (4.38.0-1+deb12u1) bookworm; urgency=medium
+
+ * Team upload.
+ * Backport the upstream fix for CVE-2025-66034. Closes: #1121605
+ * Apply the upstream fix for CVE-2023-45139.
+
+ -- Bastian Germann <[email protected]> Mon, 02 Feb 2026 18:10:45 +0100
+
fonttools (4.38.0-1) unstable; urgency=medium
* Team upload.
diff -Nru fonttools-4.38.0/debian/patches/0002-CVE-2025-66034.patch
fonttools-4.38.0/debian/patches/0002-CVE-2025-66034.patch
--- fonttools-4.38.0/debian/patches/0002-CVE-2025-66034.patch 1970-01-01
01:00:00.000000000 +0100
+++ fonttools-4.38.0/debian/patches/0002-CVE-2025-66034.patch 2026-02-02
18:10:45.000000000 +0100
@@ -0,0 +1,59 @@
+Origin: backport, a696d5ba93270d5954f98e7cab5ddca8a02c1e32
+From: Cosimo Lupo <[email protected]>
+Date: Fri, 21 Nov 2025 17:07:53 +0000
+Subject: designspaceLib: only use the basename of variable font filename
+
+Backported for fonttools 4.38.0.
+Sanitize the filename when reading from the designspace XML to prevent
+path traversal attacks that could lead to arbitrary file write.
+
+See
https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv
+---
+ Doc/source/designspaceLib/xml.rst | 5 +++++
+ Lib/fontTools/designspaceLib/__init__.py | 10 +++++++++-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/Doc/source/designspaceLib/xml.rst
b/Doc/source/designspaceLib/xml.rst
+index f5645b8c..6896f49e 100644
+--- a/Doc/source/designspaceLib/xml.rst
++++ b/Doc/source/designspaceLib/xml.rst
+@@ -680,6 +680,11 @@ The ``<variable-fonts>`` element contains one or more
``<variable-font>`` elemen
+ `.ttf`) and the build tools can replace that extension with another (e.g.
+ `.otf` or `.woff2`) as needed.
+
++ .. note::
++ This is intended to be a simple filename (basename or stem) only, not
++ an absolute or relative path. Build tools will only use the basename
++ component and ignore any directory separators for security reasons.
++
+ .. rubric:: Example
+
+ .. code:: xml
+diff --git a/Lib/fontTools/designspaceLib/__init__.py
b/Lib/fontTools/designspaceLib/__init__.py
+index 12345678..87654321 100644
+--- a/Lib/fontTools/designspaceLib/__init__.py
++++ b/Lib/fontTools/designspaceLib/__init__.py
+@@ -1210,6 +1210,11 @@ class VariableFontDescriptor(SimpleDescriptor):
+ in the document**. The file may or may not exist.
+
+ If not specified, the :attr:`name` will be used as a basename for the
file.
++
++ .. note::
++ This is intended to be a simple filename (basename or stem) only.
++ Build tools will only use the basename component and ignore any
++ directory separators for security reasons.
+ """
+ self.axisSubsets: List[Union[RangeAxisSubsetDescriptor,
ValueAxisSubsetDescriptor]] = axisSubsets or []
+ """Axis subsets to include in this variable font.
+@@ -1986,7 +1991,10 @@ class BaseDocReader(LogMixin):
+ if name is None:
+ raise DesignSpaceDocumentError("variable-font element must
have a name attribute.")
+
+- filename = variableFontElement.get("filename")
++ # Only use basename to prevent path traversal attacks
(CVE-2025-66034)
++ filename = variableFontElement.get("filename")
++ if filename is not None:
++ filename = os.path.basename(filename)
+
+ axisSubsetsElement = variableFontElement.find(".axis-subsets")
+ if axisSubsetsElement is None:
diff -Nru fonttools-4.38.0/debian/patches/0003-CVE-2023-45139.patch
fonttools-4.38.0/debian/patches/0003-CVE-2023-45139.patch
--- fonttools-4.38.0/debian/patches/0003-CVE-2023-45139.patch 1970-01-01
01:00:00.000000000 +0100
+++ fonttools-4.38.0/debian/patches/0003-CVE-2023-45139.patch 2026-02-02
18:10:45.000000000 +0100
@@ -0,0 +1,24 @@
+Origin: upstream, 9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c
+From: Cosimo Lupo <[email protected]>
+Date: Fri, 15 Sep 2023 16:50:38 +0200
+Subject: subset: parse OT-SVG with resolve_entities=False
+
+to guard against XXE attacks as recommended in
https://codeql.github.com/codeql-query-help/python/py-xxe/
+---
+ Lib/fontTools/subset/svg.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Lib/fontTools/subset/svg.py b/Lib/fontTools/subset/svg.py
+index f6d74a4002..2e55bf54c0 100644
+--- a/Lib/fontTools/subset/svg.py
++++ b/Lib/fontTools/subset/svg.py
+@@ -225,6 +225,9 @@ def subset_glyphs(self, s) -> bool:
+ # ignore blank text as it's not meaningful in OT-SVG; it also
prevents
+ # dangling tail text after removing an element when
pretty_print=True
+ remove_blank_text=True,
++ # don't replace entities; we don't expect any in OT-SVG and
they may
++ # aboused for XXE attacks
++ resolve_entities=False,
+ ),
+ )
+
diff -Nru fonttools-4.38.0/debian/patches/series
fonttools-4.38.0/debian/patches/series
--- fonttools-4.38.0/debian/patches/series 2022-10-17 02:47:59.000000000
+0200
+++ fonttools-4.38.0/debian/patches/series 2026-02-02 18:10:45.000000000
+0100
@@ -1 +1,3 @@
0001-add-module-path-for-automodule-directive.patch
+0002-CVE-2025-66034.patch
+0003-CVE-2023-45139.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.14
This update has been released as part of Debian 12.14.
--- End Message ---
