Font security 'still a Helvetica of a problem' says Australian graphics outfit Canva
Who knew that unzipping a font archive could unleash a malicious file
Online graphic design platform Canva went looking for security problems in fonts, and found three – in "strange places."
On its engineering blog, the Australian outfit explained it's "continuously looking for ways to uplift the security of [its] processes, software, supply chain, and tools," leading it to the "less explored attack surfaces, such as fonts that present a complex and prevalent part of graphics processing."
That effort yielded three type-related vulns.
CVE-2023-45139 is a high-severity bug (7.5/10) that describes an issue Canva found in FontTools – a library for manipulating fonts, written in Python. The package can use an untrusted XML file when processing an SVG table in an attempt to subset a font (that is, reduce its size by getting rid of unneeded scripts). The researchers used this method to produce a subsetted font with a SBG table that included an entity resolved to a password file.
- Canva creates $200M kitty to pay creators for stuff they feed its design-bot
- Microsoft kicks Calibri to the curb for Aptos as default font
- GitHub struggles to keep up with automated malicious forks
- Securing open source software: Whose job is it, anyway?
CVE-2024-25081 and CVE-2024-25082 are both rated 4.2/10, and are respectively associated with naming conventions and compression.
Tools like FontForge and ImageMagick can rename filenames of fonts, allowing users to work within a complex naming system to better locate a desired font inside a collection. However, the need to preserve the filename can lead to security challenges when operating on untrusted data, explained Canva.
The researchers were able to construct a simple proof of concept in the form of a shell execution that allowed FontForge to open files to which it shouldn't have access – which is bad.
Fonts are often distributed as archive files – an approach that helps to reduce their size and bundle font families together. However, when tools like FontForge reach into the archive file and modify files in situ, they first extract a temporary directory to work on them.
"A vulnerability was discovered when FontForge parses the Table of Contents (TOC) for an archive file. The TOC is a list of all the files compressed in the archive and FontForge uses this to pull a font file out to perform actions on," explained Canva.
"The filename comes from the ArchiveParseTOC function, which means we can create an archive containing a malicious filename, bypassing traditional filename sanitization techniques, and triggering our exploit."
Using this method, the researchers were able to get command injection in FontForge – which they warned is a possibility in both server mode and in the desktop application.
Canva stressed that the font landscape is rife with attack surfaces, as corporations and individuals alike require unique typography – each with their own specifications.
It's a long-standing problem to which Google even took a critical eye back in 2015, when its Project Zero released a series of blogs around font security. Back then, most problems were related to memory corruption bugs during font processing.
Canva has advocated treating fonts like any other untrusted input. "We hope to see more font security research in the future, because we believe it's an area still lacking in security maturity." ®