Bug 1218748 (CVE-2023-45139) - VUL-0: CVE-2023-45139: python-FontTools: fonttools: XML External Entity Injection (XXE) Vulnerability
Summary: VUL-0: CVE-2023-45139: python-FontTools: fonttools: XML External Entity Injec...
Status: RESOLVED FIXED
Alias: CVE-2023-45139
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/390672/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-45139:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-12 06:24 UTC by SMASH SMASH
Modified: 2024-05-17 09:00 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-01-12 06:24:38 UTC 
fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45139
https://www.cve.org/CVERecord?id=CVE-2023-45139
https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c
https://github.com/fonttools/fonttools/releases/tag/4.43.0
https://github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5
https://bugzilla.redhat.com/show_bug.cgi?id=2257808
Comment 3 Andrea Mattiazzo 2024-05-17 09:00:58 UTC 
All done, closing.