Canva Uncovers Security Issues in Fonts
In a recent development, the online graphic design platform Canva discovered three security vulnerabilities in fonts that were located in unexpected areas. The Australian company shared this information on its engineering blog, stating that they are always striving to enhance the security of their processes, software, supply chain, and tools. This led them to explore “less explored attack surfaces, such as fonts that present a complex and prevalent part of graphics processing.”
The research conducted by Canva resulted in the identification of three type-related vulnerabilities. The first one, CVE-2023-45139, is a high-severity bug rated at 7.5/10. It describes an issue found in FontTools, a library written in Python for manipulating fonts. The bug involves using an untrusted XML file when processing an SVG table to subset a font. This method allowed the researchers to create a subsetted font with an SVG table that included an entity resolved to a password file.
The other two vulnerabilities, CVE-2024-25081 and CVE-2024-25082, are rated at 4.2/10 each and are associated with naming conventions and compression. Canva explained that tools like FontForge and ImageMagick can rename filenames of fonts, which can lead to security challenges when operating on untrusted data.
One of the vulnerabilities discovered by Canva involved a shell execution that allowed FontForge to open files it shouldn’t have access to. Fonts are often distributed as archive files, and when tools like FontForge modify these files, they extract a temporary directory to work on them. The researchers found a vulnerability in FontForge’s parsing of the Table of Contents for an archive file, which could result in command injection.
Canva emphasized that the font landscape is filled with potential attack surfaces, as unique typography is essential for both corporations and individuals. The company hopes to see more research on font security in the future, as they believe it is an area that still lacks maturity in terms of security. This is not the first time font security has come under scrutiny, as Google’s Project Zero highlighted memory corruption bugs in font processing back in 2015.
