Thank you for sharing this and for your work on piecing together the commits needed to backport to 2.10.4.
On Wed, Mar 12, 2025 at 8:16 PM Michel Lind <mic...@michel-slm.name> wrote: > severity: high (CVSS 3.1: 8.1) > > Affected versions: <= 2.13.0 > > Description: > > An out of bounds write exists in FreeType versions 2.13.0 and below > when attempting to parse font subglyph structures related to TrueType > GX and variable font files. The vulnerable code assigns a signed short > value to an unsigned long and then adds a static value causing it to > wrap around and allocate too small of a heap buffer. The code then > writes up to 6 signed long integers out of bounds relative to this > buffer. This may result in arbitrary code execution. This vulnerability > may have been exploited in the wild. > > https://www.facebook.com/security/advisories/cve-2025-27363 > > This commit fixes most of the issue - except `limit` is still signed > short - but needs to be redone if you're backporting to 2.10.4 > > > https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d > > Per repology some Linux distributions are affected > > https://repology.org/project/freetype/versions > > - Amazon Linux 2 > - Debian stable / Devuan > - RHEL / CentOS Stream / Alma Linux / etc. 8 and 9 > - GNU Guix > - Mageia > - OpenMandriva > - openSUSE Leap > - Slackware > - Ubuntu 22.04 > > (The list above might not be exhaustive) > > Best regards, > > -- > _o) Michel Lind > _( ) identities: > https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 > README: https://fedoraproject.org/wiki/User:Salimma#README > -- Jonathan Wright AlmaLinux OS Foundation Mattermost: chat <https://chat.almalinux.org/almalinux/messages/@jonathan>
