Bug 32955

Summary: fonttools new security issue CVE-2023-45139
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: fonttools-4.38.0-2.mga9.src.rpm CVE: CVE-2023-45139
Status comment:

Description Nicolas Salguero 2024-03-11 09:53:44 CET 
That CVE was announced here:
https://www.openwall.com/lists/oss-security/2024/03/08/2
https://github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5

Version 4.43.0 and above fixed the issue so only Mageia 9 is affected.

The following commit fixes the problem:
https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c
Nicolas Salguero 2024-03-11 09:54:20 CET

CVE: (none) => CVE-2023-45139
Source RPM: (none) => fonttools-4.38.0-2.mga9.src.rpm

Comment 1 David GEIGER 2024-03-12 05:58:54 CET 
Done for mga9!


Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
fonttools-4.38.0-2.1.mga9.noarch.rpm
python3-fonttools+lxml-4.38.0-2.1.mga9.noarch.rpm
python3-fonttools+ufo-4.38.0-2.1.mga9.noarch.rpm
python3-fonttools+unicode-4.38.0-2.1.mga9.noarch.rpm
python3-fonttools+woff-4.38.0-2.1.mga9.noarch.rpm
python3-fonttools-4.38.0-2.1.mga9.noarch.rpm

From SRPMS:
fonttools-4.38.0-2.1.mga9.src.rpm

CC: (none) => geiger.david68210
Assignee: bugsquad => qa-bugs

Comment 2 Herman Viaene 2024-03-14 11:15:41 CET 
MGA9-64  Plasma Wayland on HP-Pavillion
No installation issues.
No wiki or previous updates, and this is untrodden domain for me, so googled and tried some commands that I could understand (more or less).
Ended up with:
$ ttx -l /usr/share/fonts/ttf/western/Adventure.ttf 
Listing table info for "/usr/share/fonts/ttf/western/Adventure.ttf":
    tag     checksum    length    offset
    ----  ----------  --------  --------
    OS/2  0x16F03A36        78     17988
    PCLT  0xCEADA2CE        54      2604
    cmap  0xA0F0BF80       506       236
    cvt   0x6B2A6F4F       192       744
    fpgm  0x0211C261       472       936
    glyf  0x73FF76A8     14866      2660
    head  0x65C34A1B        54      1408
    hhea  0x0C280510        36     17952
    hmtx  0x760A14DE       392     17528
    loca  0x000AE2D0       396      1464
    maxp  0x014400BE        32     17920
    name  0xABB7AD1F       483      2120
    post  0x090A09B9       230      1888
    prep  0x0D240506        26      1860
At least no error comes up and sensble formatting, as to the contents, it is a puzzle for me.
As the command seems to work OK, giving it the go, unless someone else has better ideas.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 3 Thomas Andrews 2024-03-14 13:59:07 CET 
I saw this one last night and did the same research as Herman, but it was too late and I was too tired to proceed. Herman, you did as I would have done.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

katnatek 2024-03-14 19:52:35 CET

Keywords: (none) => advisory

Comment 4 Mageia Robot 2024-03-14 20:35:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0060.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED