DEBIAN-CVE-2023-45139

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2023-45139
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-45139.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2023-45139
Upstream
Published
2024-01-10T16:15:46.767Z
Modified
2025-11-14T04:06:21.814540Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.

References

Affected packages

Debian:12 / fonttools

Package

Name
fonttools
Purl
pkg:deb/debian/fonttools?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.38.0-1
4.46.0-1
4.51.0-1
4.54.1-1~exp1
4.54.1-1
4.54.1-2
4.54.1-3
4.54.1-4
4.55.0-1
4.55.0-2
4.55.0-3
4.55.3-1
4.55.3-1+hurd.1
4.55.3-2
4.55.8-1
4.57.0-1
4.57.0-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / fonttools

Package

Name
fonttools
Purl
pkg:deb/debian/fonttools?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.46.0-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / fonttools

Package

Name
fonttools
Purl
pkg:deb/debian/fonttools?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.46.0-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}