CVE-2025-66034 (bsc#1254366)

2026-01-19 17:17:13 +01:00
parent 6e0a5758b2
commit e1adc9d257
3 changed files with 71 additions and 0 deletions
--- a/CVE-2025-66034.patch
+++ b/CVE-2025-66034.patch
@@ -0,0 +1,64 @@
+From a696d5ba93270d5954f98e7cab5ddca8a02c1e32 Mon Sep 17 00:00:00 2001
+From: Cosimo Lupo <clupo@google.com>
+Date: Fri, 21 Nov 2025 17:07:53 +0000
+Subject: [PATCH] varLib: only use the basename(vf.filename)
+
+Fontmake already does that since the beginning:
+https://github.com/googlefonts/fontmake/blob/35e9e5dbdf2130a04c54688bb1bdbcfdb4b5fc67/Lib/fontmake/font_project.py#L438
+
+it's safer to disallow path traversal as it may lead to abritrary file write vulnerability, see https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv
+---
+ Doc/source/designspaceLib/xml.rst        | 5 +++++
+ Lib/fontTools/designspaceLib/__init__.py | 5 +++++
+ Lib/fontTools/varLib/__init__.py         | 6 +++++-
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/Doc/source/designspaceLib/xml.rst b/Doc/source/designspaceLib/xml.rst
+index f5645b8ca4..6896f49e25 100644
+--- a/Doc/source/designspaceLib/xml.rst
+++ b/Doc/source/designspaceLib/xml.rst
+@@ -752,6 +752,11 @@ The ``<variable-fonts>`` element contains one or more ``<variable-font>`` elemen
+   `.ttf`) and the build tools can replace that extension with another (e.g.
+   `.otf` or `.woff2`) as needed.
+ 
+  .. note::
+     This is intended to be a simple filename (basename or stem) only, not
+     an absolute or relative path. Build tools will only use the basename
+     component and ignore any directory separators for security reasons.
+
+ .. rubric:: Example
+ 
+ .. code:: xml
+diff --git a/Lib/fontTools/designspaceLib/__init__.py b/Lib/fontTools/designspaceLib/__init__.py
+index 661f3405da..0996e7b69e 100644
+--- a/Lib/fontTools/designspaceLib/__init__.py
+++ b/Lib/fontTools/designspaceLib/__init__.py
+@@ -1323,6 +1323,11 @@ def __init__(self, *, name, filename=None, axisSubsets=None, lib=None):
+         in the document**. The file may or may not exist.
+ 
+         If not specified, the :attr:`name` will be used as a basename for the file.
+
+        .. note::
+            This is intended to be a simple filename (basename or stem) only.
+            Build tools will only use the basename component and ignore any
+            directory separators for security reasons.
+         """
+         self.axisSubsets: List[
+             Union[RangeAxisSubsetDescriptor, ValueAxisSubsetDescriptor]
+diff --git a/Lib/fontTools/varLib/__init__.py b/Lib/fontTools/varLib/__init__.py
+index fd0875567c..c19bd15158 100644
+--- a/Lib/fontTools/varLib/__init__.py
+++ b/Lib/fontTools/varLib/__init__.py
+@@ -1562,7 +1562,11 @@ def main(args=None):
+         vf_name_to_output_path[vfs_to_build[0].name] = options.outfile
+     else:
+         for vf in vfs_to_build:
+-            filename = vf.filename if vf.filename is not None else vf.name + ".{ext}"
+            if vf.filename is not None:
+                # Only use basename to prevent path traversal attacks
+                filename = os.path.basename(vf.filename)
+            else:
+                filename = vf.name + ".{ext}"
+             vf_name_to_output_path[vf.name] = os.path.join(output_dir, filename)
+ 
+     finder = MasterFinder(options.master_finder)
--- a/python-FontTools.changes
+++ b/python-FontTools.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Jan 19 16:04:04 UTC 2026 - Markéta Machová <mmachova@suse.com>
+
+- Add security patch CVE-2025-66034.patch (bsc#1254366)
+
 -------------------------------------------------------------------
 Tue Aug 19 14:08:50 UTC 2025 - Markéta Machová <mmachova@suse.com>

--- a/python-FontTools.spec
+++ b/python-FontTools.spec
@@ -39,6 +39,8 @@ Group:          Development/Languages/Python
 URL:            https://github.com/fonttools/fonttools
 # The PyPI archive lacks some test files, but the source is identical to the github archive
 Source:         https://github.com/fonttools/fonttools/archive/refs/tags/%{version}.tar.gz#/fonttools-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM CVE-2025-66034.patch https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32
+Patch0:         CVE-2025-66034.patch
 BuildRequires:  %{python_module devel >= 3.7}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}