Debian Patches
Status for fonttools/4.38.0-1+deb12u1
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-add-module-path-for-automodule-directive.patch | add module path for automodule directive | Hideki Yamane <henrich@debian.org> | no | 2017-08-28 | ||
| 0002-CVE-2025-66034.patch | designspaceLib: only use the basename of variable font filename Backported for fonttools 4.38.0. Sanitize the filename when reading from the designspace XML to prevent path traversal attacks that could lead to arbitrary file write. See https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv |
Cosimo Lupo <clupo@google.com> | no | backport, a696d5ba93270d5954f98e7cab5ddca8a02c1e32 | 2025-11-21 | |
| 0003-CVE-2023-45139.patch | subset: parse OT-SVG with resolve_entities=False to guard against XXE attacks as recommended in https://codeql.github.com/codeql-query-help/python/py-xxe/ |
Cosimo Lupo <clupo@google.com> | no | upstream, 9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c | 2023-09-15 |
All known versions for source package 'fonttools'
- 4.62.1-7 (forky, sid)
- 4.57.0-1+deb13u1 (trixie)
- 4.38.0-1+deb12u1 (bookworm)