On 3/13/25 04:23, Alexei Podtelezhnikov wrote:
On Wed, Mar 12, 2025 at 9:37 PM Alan Coopersmith
<alan.coopersm...@oracle.com> wrote:
https://www.facebook.com/security/advisories/cve-2025-27363
https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d
Dear Alan
We have been informed in advance about this. We suspect that Meta used
some AI tools to scan the commit history and identify commits with
potential changes in memory access patterns. The first claim was that
<= 2.13.2 were vulnerable, which we pushed back by a year and a half.
In this brave new world, freezing the old software versions is no
longer viable for the open systems. We invite everybody to use the
most recent version and help us improve FreeType, rather than engaging
in the patch race against AI.
CISA added this vulnerability to their Known Exploited Vulnerabilities Catalog
today, so there will be even more users checking to see if they have it fixed
now:
https://www.cisa.gov/news-events/alerts/2025/05/06/cisa-adds-one-known-exploited-vulnerability-catalog
Hopefully the distros & applications that bundle FreeType have all updated
already.
--
-Alan Coopersmith- alan.coopersm...@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
