Canva's deep dive into the world of font security uncovered three unexpected vulnerabilities and revealed how choosing the wrong font could spell cybersecurity disaster.
In an effort to improve the security of its tools, Canva has been investigating less explored attack surfaces, including fonts, which play an integral role in graphics processing.
A trio of vulnerabilities was highlighted in a report titled “Fonts remain a Swiss problem,” and Canva ultimately stated that the font landscape is actually quite rich in attack surfaces.
Canva cares about the font you use
The first vulnerability, identified as CVE-2023-45139, was discovered in FontTools, a Python library for manipulating fonts. Canva discovered that when processing an SVG table to create a subset of a font, FontTools could use an untrusted XML file, leading to an XML External Entity (XXE) vulnerability.
The researchers abused this vulnerability to produce a subset source containing an SVG table with a /etc/passwd payload. FontTools released a patch three days after receiving notification of the vulnerability in September 2023.
The other two vulnerabilities, CVE-2024-25081 and CVE-2024-25082, both rated 4.2/10, were associated with naming conventions and font compression. Canva discovered the possibility of command injection when dealing with file names in tools like FontForge and ImageMagick. Both have also been addressed.
Recognizing the timely work of maintainers of open source source tools and software, Canva noted that IT workers should “treat sources like any other untrusted input” by implementing sandboxing and using tools like OpenType-Sanitizer.
This is not the first time the security of sources has been raised; Google explored similar problems almost a decade ago; However, with the increased prevalence and more severe consequences of cyberattacks, Canva's recommendation that we pay attention to less obvious attack surfaces is a very sensible one.