From b8747de8304e49924929c77914df615135286799 Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Thu, 11 Jan 2024 09:46:43 +0800
Subject: [PATCH] Fix CVE-2023-45139

---
 CVE-2023-45139.patch                    | 26 +++++++++++++++++++++++++
 python-fonttools.spec                   |  6 +++++-
 fonttools.yaml => python-fonttools.yaml |  0
 3 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-45139.patch
 rename fonttools.yaml => python-fonttools.yaml (100%)

diff --git a/CVE-2023-45139.patch b/CVE-2023-45139.patch
new file mode 100644
index 0000000..cd15bd4
--- /dev/null
+++ b/CVE-2023-45139.patch
@@ -0,0 +1,26 @@
+From 9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c Mon Sep 17 00:00:00 2001
+From: Cosimo Lupo <clupo@google.com>
+Date: Fri, 15 Sep 2023 16:50:38 +0200
+Subject: [PATCH] subset: parse OT-SVG with resolve_entities=False
+
+Origin: https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c
+
+to guard against XXE attacks as recommended in https://codeql.github.com/codeql-query-help/python/py-xxe/
+---
+ Lib/fontTools/subset/svg.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Lib/fontTools/subset/svg.py b/Lib/fontTools/subset/svg.py
+index f6d74a4002..2e55bf54c0 100644
+--- a/Lib/fontTools/subset/svg.py
++++ b/Lib/fontTools/subset/svg.py
+@@ -225,6 +225,9 @@ def subset_glyphs(self, s) -> bool:
+                 # ignore blank text as it's not meaningful in OT-SVG; it also prevents
+                 # dangling tail text after removing an element when pretty_print=True
+                 remove_blank_text=True,
++                # don't replace entities; we don't expect any in OT-SVG and they may
++                # aboused for XXE attacks
++                resolve_entities=False,
+             ),
+         )
+ 
diff --git a/python-fonttools.spec b/python-fonttools.spec
index b3e0d65..f70188a 100644
--- a/python-fonttools.spec
+++ b/python-fonttools.spec
@@ -1,10 +1,11 @@
 Name:           fonttools
 Version:        4.39.4
-Release:        1
+Release:        2
 Summary:        Tools to manipulate font files
 License:        MIT
 URL:            https://github.com/fonttools/fonttools/
 Source0:        %{url}/archive/refs/tags/%{version}.tar.gz
+Patch0:         CVE-2023-45139.patch
 Requires:       python3-fonttools
 Requires:       python3-setuptools
 BuildArch:      noarch
@@ -64,6 +65,9 @@ rm -rf *.egg-info
 %{python3_sitelib}/fonttools-%{version}-py3.*.egg-info
 
 %changelog
+* Thu Jan 11 2024 wangkai <13474090681@163.com> - 4.39.4-2
+- Fix CVE-2023-45139
+
 * Thu May 18 2023 Ge Wang <wang__ge@126.com> - 4.39.4-1
 - Update to 4.39.4
 
diff --git a/fonttools.yaml b/python-fonttools.yaml
similarity index 100%
rename from fonttools.yaml
rename to python-fonttools.yaml