CVE-2023-45139

Advisory

Fonttools is affected by a XML External Entity Injection (XXE) Vulnerability. As of fonttools>=4.28.2 the subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

----------------------------

- [subset] Set up lxml ``XMLParser(resolve_entities=False)`` when parsing OT-SVG documents
to prevent XML External Entity (XXE) attacks (9f61271dc):
https://codeql.github.com/codeql-query-help/python/py-xxe/
- [varLib.iup] Added workaround for a Cython bug in ``iup_delta_optimize`` that was
leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas
(60126435d, cython/cython5732).
- [varLib] Added new command-line entry point ``fonttools varLib.avar`` to add an
``avar`` table to an existing VF from axes mappings in a .designspace file (0a3360e52).
- [instancer] Fixed bug whereby no longer used variation regions were not correctly pruned
after VarData optimization (3268).
- Added support for Python 3.12 (3283).

Resources

• https://pypi.org/project/fonttools
• https://data.safetycli.com/changelogs/fonttools/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45139