Ubuntu alert USN-7917-1 (fonttools)
| From: | noreply+usn-bot@canonical.com | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-7917-1] fontTools vulnerabilities | |
| Date: | Tue, 09 Dec 2025 19:34:02 +0000 | |
| Message-ID: | <E1vT3TG-0000i2-Uc@lists.ubuntu.com> |
========================================================================== Ubuntu Security Notice USN-7917-1 December 09, 2025 fonttools vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 25.04 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in fontTools. Software Description: - fonttools: a library for manipulating fonts, written in Python Details: It was discovered that the subsetting module of fontTools was vulnerable to an XML External Entity (XEE) attack. An unauthenticated remote attacker could possibly use this issue to include arbitrary files from the file system or make web requests from the host system. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-45139) It was discovered that fontTools was vulnerable to path traversal attacks. If a user or automated system were tricked into extracting a specially crafted .designspace file, an attacker could possibly use this issue to write arbitrary files outside the target directory, resulting in remote code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.04 and Ubuntu 25.10. (CVE-2025-66034) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 fonttools 4.55.3-2ubuntu0.25.10.1 python3-fonttools 4.55.3-2ubuntu0.25.10.1 Ubuntu 25.04 fonttools 4.55.3-2ubuntu0.25.04.1 python3-fonttools 4.55.3-2ubuntu0.25.04.1 Ubuntu 24.04 LTS fonttools 4.46.0-1ubuntu0.1~esm1 Available with Ubuntu Pro python3-fonttools 4.46.0-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 22.04 LTS fonttools 4.29.1-2ubuntu0.1~esm1 Available with Ubuntu Pro python3-fonttools 4.29.1-2ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7917-1 CVE-2023-45139, CVE-2025-66034 Package Information: https://launchpad.net/ubuntu/+source/fonttools/4.55.3-2ub... https://launchpad.net/ubuntu/+source/fonttools/4.55.3-2ub...
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmk4eV0ACgkQcpJm3tlz hgFyMQ//bigFpK5PTFAM4t9w6pF/Df2WsHAkFqfWDGPe4tEzXeBsBealiGZv+0bF J+uRhyIX9OwJs5e4y+KChvqhsoGojGc7oI3T9Od44J3/4k8iHX/fPPZu7+4w9XOW prNskZ8Bkcjt4v4Ga7P22myzQwfJm6IxrZqeV1AEBfWgkfaTEJjdfLUobXMepznE KcwPkiuJoUdN9PxMOpMzMH/2X/0bQTgx/XvRtLKr1VN1V6NZf9JvAtfT8QQZfBkd axtHUeOfpx6gpOnt9S5sZheZzz1mrHTWeUevE4xfawMN0h9poGrM4RiPLd1vawyO IkTUbUxLQIi6WUXyzHxNg98x3nCzIzAhBfpHmQpAnwMDuiwFGU01eJ/DlxOS+5n/ Xd7QZAJ2XFcZjvMDzatRUcw3dsMoYtxjyGAjtHRAtDaym3pq1k7SPF3GIBvQkFiu XWasrwQmGHJ63Pg5f0THklMv1/DzlAtDQ+hDTk6gTCgV7Xqjl/MuTejDg3xmk6Mp WIgHoLHe+0HfEcZDQnz+A4kNfXggQsw8fRBpAjut4qFoelwjb2TXxMzN5Fm+/OuL fVfrRXTpyiWoDzSDFctOF4gNTnsfie0PAr34qbACqrYmQ4ODqsM8UnTLT0JLBGOn WUyppgidGfg3k7e2juOjnnJM3xpo2TOH8/wberi5YVpEMwgu7KI= =jpae -----END PGP SIGNATURE-----