[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1121605: marked as done (fonttools: CVE-2025-66034)

Your message dated Sun, 04 Jan 2026 20:37:54 +0000
with message-id <E1vcUrK-0000000AMGQ-0JlM@fasolo.debian.org>
and subject line Bug#1121605: fixed in fonttools 4.61.1-1
has caused the Debian Bug report #1121605,
regarding fonttools: CVE-2025-66034
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1121605: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121605
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: fonttools
Version: 4.57.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 4.57.0-1

Hi,

The following vulnerability was published for fonttools.

CVE-2025-66034[0]:
| fontTools is a library for manipulating fonts, written in Python. In
| versions from 4.33.0 to before 4.60.2, the fonttools varLib (or
| python3 -m fontTools.varLib) script has an arbitrary file write
| vulnerability that leads to remote code execution when a malicious
| .designspace file is processed. The vulnerability affects the main()
| code path of fontTools.varLib, used by the fonttools varLib CLI and
| any code that invokes fontTools.varLib.main(). This issue has been
| patched in version 4.60.2.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-66034
    https://www.cve.org/CVERecord?id=CVE-2025-66034
[1] https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv
[2] https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: fonttools
Source-Version: 4.61.1-1
Done: Dr. Tobias Quathamer <toddy@debian.org>

We believe that the bug you reported is fixed in the latest version of
fonttools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1121605@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dr. Tobias Quathamer <toddy@debian.org> (supplier of updated fonttools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 04 Jan 2026 17:34:24 +0100
Source: fonttools
Architecture: source
Version: 4.61.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Fonts Task Force <debian-fonts@lists.debian.org>
Changed-By: Dr. Tobias Quathamer <toddy@debian.org>
Closes: 1082582 1121605
Changes:
 fonttools (4.61.1-1) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Dr. Tobias Quathamer ]
   * New upstream version 4.61.1
     - This release includes the fix for CVE-2025-66034. Closes: #1121605
     - Refresh patch
     - Remove patch, has been fixed upstream
   * Update FSF address in d/copyright
   * Remove Priority: optional from d/control
   * Update Standards-Version to 4.7.3
   * Depend on python3-ufolib2 (>= 0.18.1)
   * Remove dependency on python3-fs (Closes: #1082582)
 .
   [ Debian Janitor ]
   * Remove constraints unnecessary since buster (archived release)
Checksums-Sha1:
 5a421295116b70d8e44808f73d1479993dc68c13 3177 fonttools_4.61.1-1.dsc
 762663fd3ed8ea53da7b16ada7afc5d5cdaab68f 2726200 fonttools_4.61.1.orig.tar.xz
 bb1585ed8f2a6c9b099a2992a596b852bda0d991 12288 fonttools_4.61.1-1.debian.tar.xz
 edd90991342958391f42b40e18e6d402a704475e 12266 fonttools_4.61.1-1_amd64.buildinfo
Checksums-Sha256:
 509e663f10c9183cd5f23fdcd08237f329ccf2e30f06d8e18e2ad493de4e76d2 3177 fonttools_4.61.1-1.dsc
 20d56fed490ece4649f306f325029e22337e7d5abe21815f1b779bdaa7ce692d 2726200 fonttools_4.61.1.orig.tar.xz
 067ae3bcb9b7ad51b93265cd7bbcabc7ca6e79d46ba7afcbad5844b6fdc77273 12288 fonttools_4.61.1-1.debian.tar.xz
 9184f6e09b9cd97432117a121fcc1c45b6bd0de3b81073ba4e843fe2399dac30 12266 fonttools_4.61.1-1_amd64.buildinfo
Files:
 75752d2975fb1d8763eb19b83ad3991b 3177 devel optional fonttools_4.61.1-1.dsc
 8b99cc87d2e4b0fccafb73b9d15593c8 2726200 devel optional fonttools_4.61.1.orig.tar.xz
 29ffd6709f76630103f90faa8d6b3ba7 12288 devel optional fonttools_4.61.1-1.debian.tar.xz
 5846945e226550516b505f8ed0fa75a2 12266 devel optional fonttools_4.61.1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAmlavDEACgkQEwLx8Dbr
6xkv0xAAheuY4G784PPPb+F9MTkUhB8T4GHCj0Ajk+q3p2K/FyzIkifvu4ORJOet
0V2rwaDkOxe+eH8k0niHJ9tSb86k84M/VdRUfO9EGB9JRFsMLhRE8+YO2WiJqkal
3vw1DOMZnxFBoe/m50OsqedKNPiLAW+jWb9sgqQb8iVMkmK49Y6desd0Th2d5ljj
nL4+krJ7X7xNrCOVgQ5LiQlNRO8UibzRnpap4qiHD9kkQ0iv/5Jp5GiUJ545KbQ/
D+X5XyBDvB1mvrNyE9dFyz4D7RcfRJMgqivR0o9qler4GTrDzCRCJNGqwZvVMJyM
FOVuf4PJsZ079zN4DrckBqUyVNVD03Q9P8m9I6r9RSYcqqVs8yREKUs+bX2ea32w
FWmWlbSKe2aDok2zpCIKZERssEtxG7mFkDLJYHFwgzcRaEz6NGlo5EmZFfs+wmA6
8nhp5sBtEL0NZ+q+lDRir1jPjEjiO+PI476qNQq0yuiZ9X39uf39vdZehJYjbNCF
b0EPfZz9WfRz/OlYGQxgNPDdZWef0s2UoOjP7ySl7huIBZgaOMvdoRvLA/oVHp65
3KNqah1MBZza7kHTD8LMsES6G60n7rq/H5bFTa7V/fEQonu9MhauROY5oahFIPiv
CE/weEaOvYH/gAmtSDnNsc8QrecYU8hjY6soVu1OAGXtB9A8I5o=
=nWGD
-----END PGP SIGNATURE-----

Attachment: pgpBSILOO4pD1.pgp
Description: PGP signature


--- End Message ---
Reply to: