diff --git a/CVE-2025-66034.patch b/CVE-2025-66034.patch new file mode 100644 index 0000000..48917ff --- /dev/null +++ b/CVE-2025-66034.patch @@ -0,0 +1,64 @@ +From a696d5ba93270d5954f98e7cab5ddca8a02c1e32 Mon Sep 17 00:00:00 2001 +From: Cosimo Lupo +Date: Fri, 21 Nov 2025 17:07:53 +0000 +Subject: [PATCH] varLib: only use the basename(vf.filename) + +Fontmake already does that since the beginning: +https://github.com/googlefonts/fontmake/blob/35e9e5dbdf2130a04c54688bb1bdbcfdb4b5fc67/Lib/fontmake/font_project.py#L438 + +it's safer to disallow path traversal as it may lead to abritrary file write vulnerability, see https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv +--- + Doc/source/designspaceLib/xml.rst | 5 +++++ + Lib/fontTools/designspaceLib/__init__.py | 5 +++++ + Lib/fontTools/varLib/__init__.py | 6 +++++- + 3 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/Doc/source/designspaceLib/xml.rst b/Doc/source/designspaceLib/xml.rst +index f5645b8ca4..6896f49e25 100644 +--- a/Doc/source/designspaceLib/xml.rst ++++ b/Doc/source/designspaceLib/xml.rst +@@ -752,6 +752,11 @@ The ```` element contains one or more ```` elemen + `.ttf`) and the build tools can replace that extension with another (e.g. + `.otf` or `.woff2`) as needed. + ++ .. note:: ++ This is intended to be a simple filename (basename or stem) only, not ++ an absolute or relative path. Build tools will only use the basename ++ component and ignore any directory separators for security reasons. ++ + .. rubric:: Example + + .. code:: xml +diff --git a/Lib/fontTools/designspaceLib/__init__.py b/Lib/fontTools/designspaceLib/__init__.py +index 661f3405da..0996e7b69e 100644 +--- a/Lib/fontTools/designspaceLib/__init__.py ++++ b/Lib/fontTools/designspaceLib/__init__.py +@@ -1323,6 +1323,11 @@ def __init__(self, *, name, filename=None, axisSubsets=None, lib=None): + in the document**. The file may or may not exist. + + If not specified, the :attr:`name` will be used as a basename for the file. ++ ++ .. note:: ++ This is intended to be a simple filename (basename or stem) only. ++ Build tools will only use the basename component and ignore any ++ directory separators for security reasons. + """ + self.axisSubsets: List[ + Union[RangeAxisSubsetDescriptor, ValueAxisSubsetDescriptor] +diff --git a/Lib/fontTools/varLib/__init__.py b/Lib/fontTools/varLib/__init__.py +index fd0875567c..c19bd15158 100644 +--- a/Lib/fontTools/varLib/__init__.py ++++ b/Lib/fontTools/varLib/__init__.py +@@ -1562,7 +1562,11 @@ def main(args=None): + vf_name_to_output_path[vfs_to_build[0].name] = options.outfile + else: + for vf in vfs_to_build: +- filename = vf.filename if vf.filename is not None else vf.name + ".{ext}" ++ if vf.filename is not None: ++ # Only use basename to prevent path traversal attacks ++ filename = os.path.basename(vf.filename) ++ else: ++ filename = vf.name + ".{ext}" + vf_name_to_output_path[vf.name] = os.path.join(output_dir, filename) + + finder = MasterFinder(options.master_finder) diff --git a/python-FontTools.changes b/python-FontTools.changes index f4350bd..3aee4f6 100644 --- a/python-FontTools.changes +++ b/python-FontTools.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Jan 19 16:04:04 UTC 2026 - Markéta Machová + +- Add security patch CVE-2025-66034.patch (bsc#1254366) + ------------------------------------------------------------------- Tue Aug 19 14:08:50 UTC 2025 - Markéta Machová diff --git a/python-FontTools.spec b/python-FontTools.spec index 8cf4528..c0ec410 100644 --- a/python-FontTools.spec +++ b/python-FontTools.spec @@ -39,6 +39,8 @@ Group: Development/Languages/Python URL: https://github.com/fonttools/fonttools # The PyPI archive lacks some test files, but the source is identical to the github archive Source: https://github.com/fonttools/fonttools/archive/refs/tags/%{version}.tar.gz#/fonttools-%{version}.tar.gz +# PATCH-FIX-UPSTREAM CVE-2025-66034.patch https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32 +Patch0: CVE-2025-66034.patch BuildRequires: %{python_module devel >= 3.7} BuildRequires: %{python_module pip} BuildRequires: %{python_module setuptools}