Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: Vulnerabilties in FontTools & FontForge

Related Vulnerabilities: CVE-2023-45139  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Vulnerabilties in FontTools &amp; FontForge

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Hanno Böck &lt;hanno () hboeck de&gt;

Date: Sat, 9 Mar 2024 08:50:24 +0100

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi,

On Fri, 8 Mar 2024 11:06:35 -0800
Alan Coopersmith &lt;alan.coopersmith () oracle com&gt; wrote:

- CVE-2023-45139 in FontTools versions &gt;=4.28.2, &lt;4.43.0, fixed in
4.43.0

    FontTools uses lxml to process SVG tables in OpenType fonts, and
had not disabled external entity expansion (which lmxl enables by
default), leading to an XML External Entity (XXE) vulnerability.

I was surprised that any library would do this by default in 2024.
According to their webpage, lxml does *not* enable external entity
expansion by default, but changed the default only very recently.

https://lxml.de/FAQ.html#how-do-i-use-lxml-safely-as-a-web-service-endpoint
says:
" Since version 5.x, lxml disables the expansion of external entities
(XXE) by default. If you really want to allow loading external files
into XML documents using this functionality, you have to explicitly set
resolve_entities=True."

lxml 5.0.0 was released in December 2023.

So it turns out that lxml did enable entity expansion by default up
until very recently, but no longer does. So applications using lxml
should likely still disable it manually for security reasons for a
while, but it is a problem that will go away over time when people
update to lxml 5 or above.

-- 
Hanno Böck
https://hboeck.de/

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Vulnerabilties in FontTools &amp; FontForge Alan Coopersmith (Mar 08)

Re: Vulnerabilties in FontTools &amp; FontForge Hanno Böck (Mar 08)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started