CVE-2025-66034 (bsc#1254366)

CVE-2025-66034.patch

@@ -0,0 +1,64 @@
+From a696d5ba93270d5954f98e7cab5ddca8a02c1e32 Mon Sep 17 00:00:00 2001
+From: Cosimo Lupo <clupo@google.com>
+Date: Fri, 21 Nov 2025 17:07:53 +0000
+Subject: [PATCH] varLib: only use the basename(vf.filename)
+
+Fontmake already does that since the beginning:
+https://github.com/googlefonts/fontmake/blob/35e9e5dbdf2130a04c54688bb1bdbcfdb4b5fc67/Lib/fontmake/font_project.py#L438
+
+it's safer to disallow path traversal as it may lead to abritrary file write vulnerability, see https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv
+---
+ Doc/source/designspaceLib/xml.rst        | 5 +++++
+ Lib/fontTools/designspaceLib/__init__.py | 5 +++++
+ Lib/fontTools/varLib/__init__.py         | 6 +++++-
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/Doc/source/designspaceLib/xml.rst b/Doc/source/designspaceLib/xml.rst
+index f5645b8ca4..6896f49e25 100644
+--- a/Doc/source/designspaceLib/xml.rst
++++ b/Doc/source/designspaceLib/xml.rst
+@@ -752,6 +752,11 @@ The ``<variable-fonts>`` element contains one or more ``<variable-font>`` elemen
+   `.ttf`) and the build tools can replace that extension with another (e.g.
+   `.otf` or `.woff2`) as needed.
+ 
++  .. note::
++     This is intended to be a simple filename (basename or stem) only, not
++     an absolute or relative path. Build tools will only use the basename
++     component and ignore any directory separators for security reasons.
++
+ .. rubric:: Example
+ 
+ .. code:: xml
+diff --git a/Lib/fontTools/designspaceLib/__init__.py b/Lib/fontTools/designspaceLib/__init__.py
+index 661f3405da..0996e7b69e 100644
+--- a/Lib/fontTools/designspaceLib/__init__.py
++++ b/Lib/fontTools/designspaceLib/__init__.py
+@@ -1323,6 +1323,11 @@ def __init__(self, *, name, filename=None, axisSubsets=None, lib=None):
+         in the document**. The file may or may not exist.
+ 
+         If not specified, the :attr:`name` will be used as a basename for the file.
++
++        .. note::
++            This is intended to be a simple filename (basename or stem) only.
++            Build tools will only use the basename component and ignore any
++            directory separators for security reasons.
+         """
+         self.axisSubsets: List[
+             Union[RangeAxisSubsetDescriptor, ValueAxisSubsetDescriptor]
+diff --git a/Lib/fontTools/varLib/__init__.py b/Lib/fontTools/varLib/__init__.py
+index fd0875567c..c19bd15158 100644
+--- a/Lib/fontTools/varLib/__init__.py
++++ b/Lib/fontTools/varLib/__init__.py
+@@ -1562,7 +1562,11 @@ def main(args=None):
+         vf_name_to_output_path[vfs_to_build[0].name] = options.outfile
+     else:
+         for vf in vfs_to_build:
+-            filename = vf.filename if vf.filename is not None else vf.name + ".{ext}"
++            if vf.filename is not None:
++                # Only use basename to prevent path traversal attacks
++                filename = os.path.basename(vf.filename)
++            else:
++                filename = vf.name + ".{ext}"
+             vf_name_to_output_path[vf.name] = os.path.join(output_dir, filename)
+ 
+     finder = MasterFinder(options.master_finder)

python-FontTools.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon Jan 19 16:04:04 UTC 2026 - Markéta Machová <mmachova@suse.com>
+
+- Add security patch CVE-2025-66034.patch (bsc#1254366)
+
+-------------------------------------------------------------------
+Tue Aug 19 14:08:50 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Convert to libalternatives on SLE-16-based and newer systems
+
 -------------------------------------------------------------------
 Thu Jul 25 07:44:50 UTC 2024 - Frantisek Simorda <frantisek.simorda@suse.com>
 

python-FontTools.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-FontTools
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -24,6 +24,11 @@
 %define psuffix %{nil}
 %bcond_with test
 %endif
+%if 0%{?suse_version} > 1500
+%bcond_without libalternatives
+%else
+%bcond_with libalternatives
+%endif
 %{?sle15_python_module_pythons}
 Name:           python-FontTools%{psuffix}
 Version:        4.53.1
@@ -34,6 +39,8 @@ Group:          Development/Languages/Python
 URL:            https://github.com/fonttools/fonttools
 # The PyPI archive lacks some test files, but the source is identical to the github archive
 Source:         https://github.com/fonttools/fonttools/archive/refs/tags/%{version}.tar.gz#/fonttools-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM CVE-2025-66034.patch https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32
+Patch0:         CVE-2025-66034.patch
 BuildRequires:  %{python_module devel >= 3.7}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
@@ -41,12 +48,10 @@ BuildRequires:  %{python_module wheel}
 BuildRequires:  fdupes
 BuildRequires:  python-rpm-macros
 BuildRequires:  unzip
-# some packages should require fonttools[ufo] but expect fs to be pulled in by default.
-Requires:       python-fs >= 2.2.0
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
 Recommends:     python-Brotli >= 1.1.0
 Recommends:     python-freetype-py >= 2.4.0
+# some packages should require fonttools[ufo], but fs is not a hard dependency anymore.
+Recommends:     python-fs >= 2.2.0
 Recommends:     python-lxml
 Recommends:     python-munkres >= 1.1.4
 Recommends:     python-reportlab
@@ -56,14 +61,22 @@ Recommends:     python-ufoLib2 >= 0.16.0
 Recommends:     python-unicodedata2 >= 15.1.0
 Recommends:     python-zopfli >= 0.2.3
 Provides:       python-fonttools = %{version}-%{release}
+Obsoletes:      fonttools < %{version}-%{release}
+Provides:       fonttools = %{version}-%{release}
 BuildArch:      noarch
+%if %{with libalternatives}
+BuildRequires:  alts
+Requires:       alts
+%else
+Requires(post): update-alternatives
+Requires(postun): update-alternatives
+%endif
 %if %{with test}
 BuildRequires:  %{python_module Brotli >= 1.1.0}
+BuildRequires:  %{python_module FontTools = %{version}}
 BuildRequires:  %{python_module fs >= 2.4.16}
 BuildRequires:  %{python_module pytest}
 %endif
-Obsoletes:      fonttools < %{version}-%{release}
-Provides:       fonttools = %{version}-%{release}
 %python_subpackages
 
 %description
@@ -99,7 +112,11 @@ export LANG=en_US.UTF-8
 # We need these files to be installed for tests, but now we need them removed
 # not to confuse %%files checks
 %python_expand rm -r %{buildroot}%{$python_sitelib}
+%if %{with libalternatives}
+rm -r %{buildroot}%{_datadir}/libalternatives
+%else
 rm -r %{buildroot}%{_sysconfdir}/alternatives
+%endif
 rm -r %{buildroot}%{_bindir}
 rm -r %{buildroot}%{_mandir}
 %endif
@@ -117,6 +134,12 @@ rm -r %{buildroot}%{_mandir}
 %python_uninstall_alternative pyftmerge
 %python_uninstall_alternative fonttools
 
+%pre
+%python_libalternatives_reset_alternative ttx
+%python_libalternatives_reset_alternative pyftsubset
+%python_libalternatives_reset_alternative pyftmerge
+%python_libalternatives_reset_alternative fonttools
+
 %files %{python_files}
 %license LICENSE LICENSE.external
 %doc README.rst NEWS.rst