[manjaro-security] [ASA-202505-11] freetype2: arbitrary code execution
Andrea Denisse
denisse at archlinux.org
Tue May 20 21:18:12 CEST 2025
Arch Linux Security Advisory ASA-202505-11
==========================================
Severity: High
Date : 2025-05-19
CVE-ID : CVE-2025-27363
Package : freetype2
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2877
Summary
=======
The package freetype2 before version 2.13.3-3 is vulnerable to
arbitrary code execution.
Resolution
==========
Upgrade to 2.13.3-3.
# pacman -Syu "freetype2>=2.13.3-3"
The problem has been fixed upstream in version 2.13.3.
Workaround
==========
None.
Description
===========
An out of bounds write exists in FreeType versions 2.13.0 and below
when attempting to parse font subglyph structures related to TrueType
GX and variable font files. The vulnerable code assigns a signed short
value to an unsigned long and then adds a static value causing it to
wrap around and allocate too small of a heap buffer. The code then
writes up to 6 signed long integers out of bounds relative to this
buffer. This may result in arbitrary code execution. This vulnerability
may have been exploited in the wild.
Impact
======
A remote attacker that is able to load a specially crafted font file is
able to execute arbitrary code on the affected host.
References
==========
https://www.facebook.com/security/advisories/cve-2025-27363
https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d
https://security.archlinux.org/CVE-2025-27363
More information about the manjaro-security
mailing list