951286 – (CVE-2025-27363) <media-libs/freetype-2.13.1: Remote code execution

Bug 951286 (CVE-2025-27363) - <media-libs/freetype-2.13.1: Remote code execution

Summary: <media-libs/freetype-2.13.1: Remote code execution

Status:	RESOLVED FIXED

Alias:	CVE-2025-27363

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:	A2 [glsa+]
Keywords:

Depends on:	914804
Blocks:
	Show dependency tree

Reported:	2025-03-13 10:12 UTC by Sam James
Modified:	2025-05-14 08:45 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2025-03-13 10:12:45 UTC

"""
Subject: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0

severity: high (CVSS 3.1: 8.1)

Affected versions: <= 2.13.0

Description:

An out of bounds write exists in FreeType versions 2.13.0 and below
when attempting to parse font subglyph structures related to TrueType
GX and variable font files. The vulnerable code assigns a signed short
value to an unsigned long and then adds a static value causing it to
wrap around and allocate too small of a heap buffer. The code then
writes up to 6 signed long integers out of bounds relative to this
buffer. This may result in arbitrary code execution. This vulnerability
may have been exploited in the wild.

https://www.facebook.com/security/advisories/cve-2025-27363

This commit fixes most of the issue - except `limit` is still signed
short - but needs to be redone if you're backporting to 2.10.4

https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d

Per repology some Linux distributions are affected

https://repology.org/project/freetype/versions

- Amazon Linux 2
- Debian stable / Devuan
- RHEL / CentOS Stream / Alma Linux / etc. 8 and 9
- GNU Guix
- Mageia
- OpenMandriva
- openSUSE Leap
- Slackware
- Ubuntu 22.04

(The list above might not be exhaustive)

Best regards,
"""

Comment 1 Sam James archtester

2025-03-13 10:14:08 UTC

Note that we've had 2.13.1 since...

commit 0c9c83e925a2fab2ba0dfd83b79d87597dc71dc0
Author: Sam James <sam@gentoo.org>
Date:   Sun Jun 25 05:09:24 2023 +0100

    media-libs/freetype: add 2.13.1

    Signed-off-by: Sam James <sam@gentoo.org>

and 2.13.2 was stabled in...

commit 6240ab30f45a6246f34e194b2a10c1c2ab647f04
Author: Sam James <sam@gentoo.org>
Date:   Thu Sep 28 01:20:06 2023 +0100

    media-libs/freetype: Stabilize 2.13.2 amd64, #914804

    Signed-off-by: Sam James <sam@gentoo.org>

--

The question is if we want to issue a GLSA just in case for users.

Comment 2 Larry the Git Cow gentoo-dev

2025-05-14 08:44:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=05a258f7bb4bc3793d9112386621551ead4c9b01

commit 05a258f7bb4bc3793d9112386621551ead4c9b01
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2025-05-14 08:44:33 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2025-05-14 08:44:44 +0000

    [ GLSA 202505-07 ] FreeType: Remote Code Execution
    
    Bug: https://bugs.gentoo.org/951286
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202505-07.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)