Bug 2417780 (CVE-2025-66034)

Summary: CVE-2025-66034 fonttools: fontTools: Arbitrary file write leading to remote code execution via malicious .designspace file
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbrownin, carogers, caswilli, dnakabaa, erezende, haoli, hkataria, jajackso, jcammara, jkoehler, jmitchel, jneedle, joehler, jwong, kaycoth, kegrant, koliveir, kshier, lcouzens, lphiri, mabashia, mskarbek, omaciel, pbraun, shvarugh, simaishi, smcdonal, stcannon, teagle, tfister, thavo, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
This vulnerability in fontTools varLib allows a crafted .designspace file to trigger arbitrary file writes and XML-based content injection during variable-font generation. Because filenames are not sanitized, an attacker can use path traversal to overwrite files anywhere on the filesystem, and malicious payloads embedded in XML labelname elements can be injected directly into the generated output. When these overwritten files reside in executable or web-served locations, this can enable local remote-code execution or corruption of application or configuration files. The issue affects the varLib CLI and any code that invokes fontTools.varLib.main().
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2421328, 2421324, 2421325, 2421326, 2421327, 2421329, 2421330, 2421331, 2421332, 2421333, 2421334, 2421335    
Bug Blocks:    

Description OSIDB Bzimport 2025-11-29 02:01:30 UTC 
fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.