oss-sec mailing list archives
Re: Vulnerabilties in FontTools & FontForge
From: Hanno Böck <hanno () hboeck de>
Date: Sat, 9 Mar 2024 08:50:24 +0100
Hi, On Fri, 8 Mar 2024 11:06:35 -0800 Alan Coopersmith <alan.coopersmith () oracle com> wrote:
- CVE-2023-45139 in FontTools versions >=4.28.2, <4.43.0, fixed in 4.43.0 FontTools uses lxml to process SVG tables in OpenType fonts, and had not disabled external entity expansion (which lmxl enables by default), leading to an XML External Entity (XXE) vulnerability.
I was surprised that any library would do this by default in 2024. According to their webpage, lxml does *not* enable external entity expansion by default, but changed the default only very recently. https://lxml.de/FAQ.html#how-do-i-use-lxml-safely-as-a-web-service-endpoint says: " Since version 5.x, lxml disables the expansion of external entities (XXE) by default. If you really want to allow loading external files into XML documents using this functionality, you have to explicitly set resolve_entities=True." lxml 5.0.0 was released in December 2023. So it turns out that lxml did enable entity expansion by default up until very recently, but no longer does. So applications using lxml should likely still disable it manually for security reasons for a while, but it is a problem that will go away over time when people update to lxml 5 or above. -- Hanno Böck https://hboeck.de/
Current thread:
- Vulnerabilties in FontTools & FontForge Alan Coopersmith (Mar 08)
- Re: Vulnerabilties in FontTools & FontForge Hanno Böck (Mar 08)