!24 [sync] PR-23: Fix CVE-2023-45139

From: @openeuler-sync-bot Reviewed-by: @lyn1001 Signed-off-by: @lyn1001
Fix CVE-2023-45139
2024-01-11 02:51:17 +00:00 · 2024-01-11 10:13:23 +08:00 · 2023-12-11 09:06:06 +00:00 · 2023-12-11 16:46:52 +08:00 · 2023-01-09 08:25:21 +00:00 · 2023-01-09 14:54:58 +08:00
5 changed files with 49 additions and 5 deletions
--- a/4.39.4.tar.gz
+++ b/4.39.4.tar.gz
--- a/CVE-2023-45139.patch
+++ b/CVE-2023-45139.patch
@ -0,0 +1,26 @@
 From 9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c Mon Sep 17 00:00:00 2001
 From: Cosimo Lupo <clupo@google.com>
 Date: Fri, 15 Sep 2023 16:50:38 +0200
 Subject: [PATCH] subset: parse OT-SVG with resolve_entities=False
 Origin: https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c
 to guard against XXE attacks as recommended in https://codeql.github.com/codeql-query-help/python/py-xxe/
 ---
 Lib/fontTools/subset/svg.py | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/Lib/fontTools/subset/svg.py b/Lib/fontTools/subset/svg.py
 index f6d74a4002..2e55bf54c0 100644
 --- a/Lib/fontTools/subset/svg.py
 +++ b/Lib/fontTools/subset/svg.py
@@ -225,6 +225,9 @@ def subset_glyphs(self, s) -> bool:
                 # ignore blank text as it's not meaningful in OT-SVG; it also prevents
                 # dangling tail text after removing an element when pretty_print=True
                 remove_blank_text=True,
 +                # don't replace entities; we don't expect any in OT-SVG and they may
 +                # aboused for XXE attacks
 +                resolve_entities=False,
             ),
         )
--- a/fonttools-3.29.0.zip
+++ b/fonttools-3.29.0.zip
--- a/python-fonttools.spec
+++ b/python-fonttools.spec
@ -1,11 +1,13 @@
 Name:           fonttools
-Version:        3.29.0
+Version:        4.39.4
-Release:        3
+Release:        2
 Summary:        Tools to manipulate font files
 License:        MIT
 URL:            https://github.com/fonttools/fonttools/
-Source0:        %{url}/releases/download/%{version}/fonttools-%{version}.zip
+Source0:        %{url}/archive/refs/tags/%{version}.tar.gz
 Patch0:         CVE-2023-45139.patch
 Requires:       python3-fonttools
 Requires:       python3-setuptools
 BuildArch:      noarch
 Provides:       ttx = %{version}-%{release}
@ -19,8 +21,9 @@ project has an MIT open-source licence.
 %package -n python3-fonttools
 Summary:        Python 3 fonttools library
 BuildRequires:  python3-devel python3-numpy python3-setuptools_scm
 BuildRequires:  python3-setuptools
 BuildArch:      noarch
-Requires:       python3-numpy
+
 %{?python_provide:%python_provide python3-fonttools}
 %description -n python3-fonttools
@ -59,9 +62,24 @@ rm -rf *.egg-info
 %files -n python3-fonttools
 %doc LICENSE
 %{python3_sitelib}/fontTools
-%{python3_sitelib}/fonttools-%{version}-py3.?.egg-info
+%{python3_sitelib}/fonttools-%{version}-py3.*.egg-info
 %changelog
 * Thu Jan 11 2024 wangkai <13474090681@163.com> - 4.39.4-2
 - Fix CVE-2023-45139
 * Mon Dec 11 2023 wangkai <13474090681@163.com> - 4.39.4-1
 - Update fonttools to 4.39.4
 * Mon Jan 9 2023 zhangliangpengkun<zhangliangpengkun@xfusion.com> - 3.29.0-6 
 - fix test
 * Tue Jan 11 2022 houyingchao <houyingchao@huawei.com> - 3.29.0-5
 - Replace totring with tobytes
 * Fri Jan 07 2022 houyingchao <houyingchao@huawei.com> - 3.29.0-4
 - Replace fromtring with frombytes
 * Thu Oct 22 2020 huanghaitao <huannghaitao8@huawei.com> - 3.29.0-3
 - Disable python2 module
--- a/python-fonttools.yaml
+++ b/python-fonttools.yaml
Author	SHA1	Message	Date
openeuler-ci-bot	ec57b56418	!24 [sync] PR-23: Fix CVE-2023-45139 From: @openeuler-sync-bot Reviewed-by: @lyn1001 Signed-off-by: @lyn1001	2024-01-11 02:51:17 +00:00
wk333	11b9f9978b	Fix CVE-2023-45139 (cherry picked from commit e198f4076cc7dbd8712a7a1785d4a586b4697038)	2024-01-11 10:13:23 +08:00
openeuler-ci-bot	dcbdb91ac0	!21 [sync] PR-20: Update fonttools to 4.39.4 From: @openeuler-sync-bot Reviewed-by: @lyn1001 Signed-off-by: @lyn1001	2023-12-11 09:06:06 +00:00
wk333	47e233ac68	Update fonttools to 4.39.4 (cherry picked from commit 0cfdd8328e67f588e16562736284a21139cf6b43)	2023-12-11 16:46:52 +08:00
openeuler-ci-bot	a09180e43e	!15 fix test From: @zhang-liang-pengkun Reviewed-by: @Charlie_li Signed-off-by: @Charlie_li	2023-01-09 08:25:21 +00:00
zhangliangpengkun	e47db3c2cd	fix test Signed-off-by: zhangliangpengkun <zhangliangpengkun@xfusion.com>	2023-01-09 14:54:58 +08:00
openeuler-ci-bot	ed3f35e623	!8 Replace totring with tobytes Merge pull request !8 from houyingchao/openEuler-22.03-LTS-Next	2022-01-11 02:57:44 +00:00
houyingchao	9e8abb4959	Replace totring with tobytes	2022-01-11 10:44:11 +08:00
openeuler-ci-bot	e8d9aadea1	!7 Replace fromtring with frombytes Merge pull request !7 from houyingchao/openEuler-22.03-LTS-Next	2022-01-07 11:31:34 +00:00
houyingchao	9fe578bd41	Replace fromtring with frombytes	2022-01-07 14:18:05 +08:00