Your message dated Sat, 14 Mar 2026 11:48:35 +0000
with message-id <[email protected]>
and subject line Released with 13.4
has caused the Debian Bug report #1126855,
regarding trixie-pu: package fonttools/4.57.0-1+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126855: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126855
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:fonttools
User: [email protected]
Usertags: pu
[ Reason ]
Remote code ececution bug CVE-2025-66034, see #1121605.
[ Impact ]
Arbitrary files can be written w with malicious user input.
[ Tests ]
The codepath still works with a regular designspace file.
I have not tested the vulnerability by manipulating one.
[ Risks ]
The new code uses os.path.basename() to open the file path.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Add upstream patch untouched to deal with the CVE-2025-66034.
diff -Nru fonttools-4.57.0/debian/changelog fonttools-4.57.0/debian/changelog
--- fonttools-4.57.0/debian/changelog 2025-04-05 21:52:02.000000000 +0200
+++ fonttools-4.57.0/debian/changelog 2026-02-02 18:00:19.000000000 +0100
@@ -1,3 +1,10 @@
+fonttools (4.57.0-1+deb13u1) trixie; urgency=medium
+
+ * Team upload.
+ * Apply the upstream fix for CVE-2025-66034. Closes: #1121605
+
+ -- Bastian Germann <[email protected]> Mon, 02 Feb 2026 18:00:20 +0100
+
fonttools (4.57.0-1) unstable; urgency=medium
* Team upload.
diff -Nru fonttools-4.57.0/debian/patches/0005-CVE-2025-66034.patch
fonttools-4.57.0/debian/patches/0005-CVE-2025-66034.patch
--- fonttools-4.57.0/debian/patches/0005-CVE-2025-66034.patch 1970-01-01
01:00:00.000000000 +0100
+++ fonttools-4.57.0/debian/patches/0005-CVE-2025-66034.patch 2026-02-02
17:43:47.000000000 +0100
@@ -0,0 +1,64 @@
+Origin: upstream, a696d5ba93270d5954f98e7cab5ddca8a02c1e32
+From: Cosimo Lupo <[email protected]>
+Date: Fri, 21 Nov 2025 17:07:53 +0000
+Subject: varLib: only use the basename(vf.filename)
+
+Fontmake already does that since the beginning:
+https://github.com/googlefonts/fontmake/blob/35e9e5dbdf2130a04c54688bb1bdbcfdb4b5fc67/Lib/fontmake/font_project.py#L438
+
+it's safer to disallow path traversal as it may lead to abritrary file write
vulnerability, see
https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv
+---
+ Doc/source/designspaceLib/xml.rst | 5 +++++
+ Lib/fontTools/designspaceLib/__init__.py | 5 +++++
+ Lib/fontTools/varLib/__init__.py | 6 +++++-
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/Doc/source/designspaceLib/xml.rst
b/Doc/source/designspaceLib/xml.rst
+index f5645b8ca4..6896f49e25 100644
+--- a/Doc/source/designspaceLib/xml.rst
++++ b/Doc/source/designspaceLib/xml.rst
+@@ -752,6 +752,11 @@ The ``<variable-fonts>`` element contains one or more
``<variable-font>`` elemen
+ `.ttf`) and the build tools can replace that extension with another (e.g.
+ `.otf` or `.woff2`) as needed.
+
++ .. note::
++ This is intended to be a simple filename (basename or stem) only, not
++ an absolute or relative path. Build tools will only use the basename
++ component and ignore any directory separators for security reasons.
++
+ .. rubric:: Example
+
+ .. code:: xml
+diff --git a/Lib/fontTools/designspaceLib/__init__.py
b/Lib/fontTools/designspaceLib/__init__.py
+index 661f3405da..0996e7b69e 100644
+--- a/Lib/fontTools/designspaceLib/__init__.py
++++ b/Lib/fontTools/designspaceLib/__init__.py
+@@ -1323,6 +1323,11 @@ def __init__(self, *, name, filename=None,
axisSubsets=None, lib=None):
+ in the document**. The file may or may not exist.
+
+ If not specified, the :attr:`name` will be used as a basename for the
file.
++
++ .. note::
++ This is intended to be a simple filename (basename or stem) only.
++ Build tools will only use the basename component and ignore any
++ directory separators for security reasons.
+ """
+ self.axisSubsets: List[
+ Union[RangeAxisSubsetDescriptor, ValueAxisSubsetDescriptor]
+diff --git a/Lib/fontTools/varLib/__init__.py
b/Lib/fontTools/varLib/__init__.py
+index fd0875567c..c19bd15158 100644
+--- a/Lib/fontTools/varLib/__init__.py
++++ b/Lib/fontTools/varLib/__init__.py
+@@ -1562,7 +1562,11 @@ def main(args=None):
+ vf_name_to_output_path[vfs_to_build[0].name] = options.outfile
+ else:
+ for vf in vfs_to_build:
+- filename = vf.filename if vf.filename is not None else vf.name +
".{ext}"
++ if vf.filename is not None:
++ # Only use basename to prevent path traversal attacks
++ filename = os.path.basename(vf.filename)
++ else:
++ filename = vf.name + ".{ext}"
+ vf_name_to_output_path[vf.name] = os.path.join(output_dir,
filename)
+
+ finder = MasterFinder(options.master_finder)
diff -Nru fonttools-4.57.0/debian/patches/series
fonttools-4.57.0/debian/patches/series
--- fonttools-4.57.0/debian/patches/series 2025-04-05 21:50:48.000000000
+0200
+++ fonttools-4.57.0/debian/patches/series 2026-02-02 17:45:05.000000000
+0100
@@ -2,3 +2,4 @@
0002-keep-doctest-compatible-with-Unicode-15.1.patch
Skip-test-on-i386-that-fails-because-of-excess-precision.patch
0004-Disable-new-tests-related-to-unicode-16.0.patch
+0005-CVE-2025-66034.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.4
This update has been released as part of Debian 13.4.
--- End Message ---
