severity: high (CVSS 3.1: 8.1) Affected versions: <= 2.13.0
Description: An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild. https://www.facebook.com/security/advisories/cve-2025-27363 This commit fixes most of the issue - except `limit` is still signed short - but needs to be redone if you're backporting to 2.10.4 https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d Per repology some Linux distributions are affected https://repology.org/project/freetype/versions - Amazon Linux 2 - Debian stable / Devuan - RHEL / CentOS Stream / Alma Linux / etc. 8 and 9 - GNU Guix - Mageia - OpenMandriva - openSUSE Leap - Slackware - Ubuntu 22.04 (The list above might not be exhaustive) Best regards, -- _o) Michel Lind _( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 README: https://fedoraproject.org/wiki/User:Salimma#README
signature.asc
Description: This is a digitally signed message part
