An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild. https://www.facebook.com/security/advisories/cve-2025-27363 Facebook claims this "may have been exploited in the wild."
CVE: (none) => CVE-2025-27363QA Contact: (none) => securityCC: (none) => danComponent: RPM Packages => Security
See https://www.openwall.com/lists/oss-security/2025/03/13/1 This patch fixes it: https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d I'll work on an update.
Assignee: bugsquad => danStatus: NEW => ASSIGNED
I've built freetype2-2.13.0-1.1.mga9.tainted.src.rpm in tainted/updates_testing BUT the openwall thread seems to indicate that patch isn't sufficient to fully mitigate the bug. I'll monitor that and may end up pushing another update.
There was, indeed, more to the fix. I've uploaded freetype2-2.13.0-1.2.mga9.tainted.src.rpm to tainted/updates_testing. Suggested advisory: =================== An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files which may result in arbitrary code execution. References: https://www.openwall.com/lists/oss-security/2025/03/13/1 https://gitlab.freedesktop.org/freetype/freetype/-/issues/1322 Updated packages in tainted/updates_testing: ============================================ freetype2-demos-2.13.0-1.2.mga9.tainted lib(64)freetype6-2.13.0-1.2.mga9.tainted lib(64)freetype2-devel-2.13.0-1.2.mga9.tainted from SRPM: freetype2-2.13.0-1.2.mga9.tainted.src.rpm
Assignee: dan => qa-bugs
Keywords: (none) => advisory
RH x86_64 installing lib64freetype6-2.13.0-1.2.mga9.tainted.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: lib64freetype6 ################################################################################################## 1/1: removing lib64freetype6-2.13.0-1.mga9.tainted.x86_64 ################################################################################################## LC_ALL=C urpmi freetype2-demos installing freetype2-demos-2.13.0-1.2.mga9.tainted.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: freetype2-demos ################################################################################################## Reference: bug#31887 comment#6 ftview 50 NotoSans-BlackItalic.ttf Execution completed successfully ftview -m "Good morning QA!" 50 NotoSans-Bold.ttf I understand what Len mean with "This did not run as expected" strace gimp shows openat(AT_FDCWD, "/lib64/libfreetype.so.6", O_RDONLY|O_CLOEXEC) = 3 Not issues open pdf and djvu files in okular not issues detected
freetype2 is also on Core repo not only on Tainted, so there is a missing fix for Core!
CC: (none) => geiger.david68210
I didn't spot that! freetype2-2.13.0-1.2.mga9.src.rpm is now also available in core/updates_testing
Suggested advisory: =================== An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files which may result in arbitrary code execution. References: https://www.openwall.com/lists/oss-security/2025/03/13/1 https://gitlab.freedesktop.org/freetype/freetype/-/issues/1322 Updated packages in tainted/updates_testing: ============================================ freetype2-demos-2.13.0-1.2.mga9.tainted lib(64)freetype6-2.13.0-1.2.mga9.tainted lib(64)freetype2-devel-2.13.0-1.2.mga9.tainted from SRPM: freetype2-2.13.0-1.2.mga9.tainted.src.rpm Updated packages in tainted/updates_testing: ============================================ freetype2-demos-2.13.0-1.2.mga9 lib64freetype2-devel-2.13.0-1.2.mga9 lib64freetype6-2.13.0-1.2.mga9 SRPM: freetype2-2.13.0-1.2.mga9.src.rpm
Suggested advisory: =================== An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files which may result in arbitrary code execution. References: https://www.openwall.com/lists/oss-security/2025/03/13/1 https://gitlab.freedesktop.org/freetype/freetype/-/issues/1322 Updated packages in tainted/updates_testing: ============================================ freetype2-demos-2.13.0-1.2.mga9.tainted lib(64)freetype6-2.13.0-1.2.mga9.tainted lib(64)freetype2-devel-2.13.0-1.2.mga9.tainted from SRPM: freetype2-2.13.0-1.2.mga9.tainted.src.rpm Updated packages in core/updates_testing: ============================================ freetype2-demos-2.13.0-1.2.mga9 lib(64)freetype2-devel-2.13.0-1.2.mga9 lib(64)freetype6-2.13.0-1.2.mga9 SRPM: freetype2-2.13.0-1.2.mga9.src.rpm
RH x86_64 I "downgrade" to core versions LC_ALL=C urpmi --downgrade lib64freetype6-2.13.0-1.2.mga9 freetype2-demos-2.13.0-1.2.mga9 The following packages have to be removed for others to be upgraded: freetype2-demos-2.13.0-1.2.mga9.tainted.x86_64 (in order to install freetype2-demos-2.13.0-1.2.mga9.x86_64) lib64freetype6-2.13.0-1.2.mga9.tainted.x86_64 (in order to install lib64freetype6-2.13.0-1.2.mga9.x86_64) (y/N) y installing lib64freetype6-2.13.0-1.2.mga9.x86_64.rpm freetype2-demos-2.13.0-1.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: lib64freetype6 ################################################################################################## 2/2: freetype2-demos ################################################################################################## 1/2: removing freetype2-demos-2.13.0-1.2.mga9.tainted.x86_64 ################################################################################################## 2/2: removing lib64freetype6-2.13.0-1.2.mga9.tainted.x86_64 ################################################################################################## cd /usr/share/fonts/google-noto And repeat test ftview 50 NotoSans-BlackItalic.ttf Execution completed successfully. strace gimp shows openat(AT_FDCWD, "/lib64/libfreetype.so.6", O_RDONLY|O_CLOEXEC) = 3 open pdf and djvu files in okular not issues detected Advisory is updated
Whiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0099.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED