5 changed files with 5 additions and 49 deletions
--- a/4.39.4.tar.gz
+++ b/4.39.4.tar.gz
--- a/CVE-2023-45139.patch
+++ b/CVE-2023-45139.patch
@ -1,26 +0,0 @@
-From 9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c Mon Sep 17 00:00:00 2001
-From: Cosimo Lupo <clupo@google.com>
-Date: Fri, 15 Sep 2023 16:50:38 +0200
-Subject: [PATCH] subset: parse OT-SVG with resolve_entities=False
-
-Origin: https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c
-
-to guard against XXE attacks as recommended in https://codeql.github.com/codeql-query-help/python/py-xxe/
---
- Lib/fontTools/subset/svg.py | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/Lib/fontTools/subset/svg.py b/Lib/fontTools/subset/svg.py
-index f6d74a4002..2e55bf54c0 100644
--- a/Lib/fontTools/subset/svg.py
-+++ b/Lib/fontTools/subset/svg.py
-@@ -225,6 +225,9 @@ def subset_glyphs(self, s) -> bool:
-                 # ignore blank text as it's not meaningful in OT-SVG; it also prevents
-                 # dangling tail text after removing an element when pretty_print=True
-                 remove_blank_text=True,
-+                # don't replace entities; we don't expect any in OT-SVG and they may
-+                # aboused for XXE attacks
-+                resolve_entities=False,
-             ),
-         )
- 
--- a/fonttools-3.29.0.zip
+++ b/fonttools-3.29.0.zip
--- a/python-fonttools.spec
+++ b/python-fonttools.spec
@ -1,13 +1,11 @@
 Name:           fonttools
-Version:        4.39.4
-Release:        2
+Version:        3.29.0
+Release:        3
 Summary:        Tools to manipulate font files
 License:        MIT
 URL:            https://github.com/fonttools/fonttools/
-Source0:        %{url}/archive/refs/tags/%{version}.tar.gz
-Patch0:         CVE-2023-45139.patch
+Source0:        %{url}/releases/download/%{version}/fonttools-%{version}.zip
 Requires:       python3-fonttools
-Requires:       python3-setuptools
 BuildArch:      noarch
 Provides:       ttx = %{version}-%{release}

@ -21,9 +19,8 @@ project has an MIT open-source licence.
 %package -n python3-fonttools
 Summary:        Python 3 fonttools library
 BuildRequires:  python3-devel python3-numpy python3-setuptools_scm
-BuildRequires:  python3-setuptools
 BuildArch:      noarch
-
+Requires:       python3-numpy
 %{?python_provide:%python_provide python3-fonttools}

 %description -n python3-fonttools
@ -62,24 +59,9 @@ rm -rf *.egg-info
 %files -n python3-fonttools
 %doc LICENSE
 %{python3_sitelib}/fontTools
-%{python3_sitelib}/fonttools-%{version}-py3.*.egg-info
+%{python3_sitelib}/fonttools-%{version}-py3.?.egg-info

 %changelog
-* Thu Jan 11 2024 wangkai <13474090681@163.com> - 4.39.4-2
- Fix CVE-2023-45139
-
-* Mon Dec 11 2023 wangkai <13474090681@163.com> - 4.39.4-1
- Update fonttools to 4.39.4
-
-* Mon Jan 9 2023 zhangliangpengkun<zhangliangpengkun@xfusion.com> - 3.29.0-6 
- fix test
-
-* Tue Jan 11 2022 houyingchao <houyingchao@huawei.com> - 3.29.0-5
- Replace totring with tobytes
-
-* Fri Jan 07 2022 houyingchao <houyingchao@huawei.com> - 3.29.0-4
- Replace fromtring with frombytes
-
 * Thu Oct 22 2020 huanghaitao <huannghaitao8@huawei.com> - 3.29.0-3
 - Disable python2 module

--- a/python-fonttools.yaml
+++ b/python-fonttools.yaml