Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 9 Mar 2024 08:50:24 +0100
From: Hanno Böck <>
Subject: Re: Vulnerabilties in FontTools & FontForge


On Fri, 8 Mar 2024 11:06:35 -0800
Alan Coopersmith <> wrote:

> - CVE-2023-45139 in FontTools versions >=4.28.2, <4.43.0, fixed in
> 4.43.0
>     FontTools uses lxml to process SVG tables in OpenType fonts, and
> had not disabled external entity expansion (which lmxl enables by
> default), leading to an XML External Entity (XXE) vulnerability.

I was surprised that any library would do this by default in 2024.
According to their webpage, lxml does *not* enable external entity
expansion by default, but changed the default only very recently.
" Since version 5.x, lxml disables the expansion of external entities
(XXE) by default. If you really want to allow loading external files
into XML documents using this functionality, you have to explicitly set

lxml 5.0.0 was released in December 2023.

So it turns out that lxml did enable entity expansion by default up
until very recently, but no longer does. So applications using lxml
should likely still disable it manually for security reasons for a
while, but it is a problem that will go away over time when people
update to lxml 5 or above.

Hanno Böck

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.