Arch Linux alert ASA-202505-11 (freetype2)
| From: | Andrea Denisse <denisse@archlinux.org> | |
| To: | arch-security <arch-security@lists.archlinux.org> | |
| Subject: | [ASA-202505-11] freetype2: arbitrary code execution | |
| Date: | Tue, 20 May 2025 13:18:12 -0600 | |
| Message-ID: | <b0696d35b671b56f56fdb193099f71f1f003a214.camel@archlinux.org> | |
| Archive-link: | Article |
Arch Linux Security Advisory ASA-202505-11 ========================================== Severity: High Date : 2025-05-19 CVE-ID : CVE-2025-27363 Package : freetype2 Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-2877 Summary ======= The package freetype2 before version 2.13.3-3 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 2.13.3-3. # pacman -Syu "freetype2>=2.13.3-3" The problem has been fixed upstream in version 2.13.3. Workaround ========== None. Description =========== An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild. Impact ====== A remote attacker that is able to load a specially crafted font file is able to execute arbitrary code on the affected host. References ========== https://www.facebook.com/security/advisories/cve-2025-27363 https://gitlab.freedesktop.org/freetype/freetype/-/commit... https://security.archlinux.org/CVE-2025-27363