Advisories » MGASA-2024-0060

Updated fonttools packages fix security vulnerabilities

Publication date: 14 Mar 2024
Modification date: 14 Mar 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-45139

Description

As of fonttools>=4.28.2 the subsetting module has a XML External Entity
Injection (XXE) vulnerability which allows an attacker to resolve
arbitrary entities when a candidate font (OT-SVG fonts), which contains
a SVG table, is parsed.
This allows attackers to include arbitrary files from the filesystem
fontTools is running on or make web requests from the host system.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=32955
• https://www.openwall.com/lists/oss-security/2024/03/08/2
• https://github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45139

SRPMS

9/core

• fonttools-4.38.0-2.1.mga9