VDB
MAGEIA-2024-60
MAGEIA-2024-60
PUBLISHED
As of fonttools>=4.28.2 the subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mageia | python-pyaudio | 0.2.14-1.mga9, 0 |
| Mageia | fonttools | 0, 4.38.0-2.1.mga9, 0 |
Timeline
- Feb 19, 2024 CVE Published
- Mar 14, 2024 CVE Updated
References
- Updated fonttools packages fix security vulnerabilities advisory
- Updated fonttools packages fix security vulnerabilities issue
- Updated fonttools packages fix security vulnerabilities issue
- Updated fonttools packages fix security vulnerabilities issue
- Updated python3-pyaudio packages fix compatibility with python 3.10 advisory
- Updated python3-pyaudio packages fix compatibility with python 3.10 issue