!22 Fix CVE-2023-45139 and yaml name

From: @wk333 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001

CVE-2023-45139.patch

@@ -0,0 +1,26 @@
+From 9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c Mon Sep 17 00:00:00 2001
+From: Cosimo Lupo <clupo@google.com>
+Date: Fri, 15 Sep 2023 16:50:38 +0200
+Subject: [PATCH] subset: parse OT-SVG with resolve_entities=False
+
+Origin: https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c
+
+to guard against XXE attacks as recommended in https://codeql.github.com/codeql-query-help/python/py-xxe/
+---
+ Lib/fontTools/subset/svg.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Lib/fontTools/subset/svg.py b/Lib/fontTools/subset/svg.py
+index f6d74a4002..2e55bf54c0 100644
+--- a/Lib/fontTools/subset/svg.py
++++ b/Lib/fontTools/subset/svg.py
+@@ -225,6 +225,9 @@ def subset_glyphs(self, s) -> bool:
+                 # ignore blank text as it's not meaningful in OT-SVG; it also prevents
+                 # dangling tail text after removing an element when pretty_print=True
+                 remove_blank_text=True,
++                # don't replace entities; we don't expect any in OT-SVG and they may
++                # aboused for XXE attacks
++                resolve_entities=False,
+             ),
+         )
+ 

python-fonttools.spec

@@ -1,10 +1,11 @@
 Name:           fonttools
 Version:        4.39.4
-Release:        1
+Release:        2
 Summary:        Tools to manipulate font files
 License:        MIT
 URL:            https://github.com/fonttools/fonttools/
 Source0:        %{url}/archive/refs/tags/%{version}.tar.gz
+Patch0:         CVE-2023-45139.patch
 Requires:       python3-fonttools
 Requires:       python3-setuptools
 BuildArch:      noarch
@@ -64,6 +65,9 @@ rm -rf *.egg-info
 %{python3_sitelib}/fonttools-%{version}-py3.*.egg-info
 
 %changelog
+* Thu Jan 11 2024 wangkai <13474090681@163.com> - 4.39.4-2
+- Fix CVE-2023-45139
+
 * Thu May 18 2023 Ge Wang <wang__ge@126.com> - 4.39.4-1
 - Update to 4.39.4