ASA-202505-11 log original external raw

[ASA-202505-11] freetype2: arbitrary code execution
Arch Linux Security Advisory ASA-202505-11 ========================================== Severity: High Date : 2025-05-19 CVE-ID : CVE-2025-27363 Package : freetype2 Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-2877 Summary ======= The package freetype2 before version 2.13.3-3 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 2.13.3-3. # pacman -Syu "freetype2>=2.13.3-3" The problem has been fixed upstream in version 2.13.3. Workaround ========== None. Description =========== An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild. Impact ====== A remote attacker that is able to load a specially crafted font file is able to execute arbitrary code on the affected host. References ========== https://www.facebook.com/security/advisories/cve-2025-27363 https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d https://security.archlinux.org/CVE-2025-27363

[ASA-202505-11] freetype2: arbitrary code execution

Arch Linux Security Advisory ASA-202505-11 ========================================== Severity: High Date : 2025-05-19 CVE-ID : CVE-2025-27363 Package : freetype2 Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-2877 Summary ======= The package freetype2 before version 2.13.3-3 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 2.13.3-3. # pacman -Syu "freetype2>=2.13.3-3" The problem has been fixed upstream in version 2.13.3. Workaround ========== None. Description =========== An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild. Impact ====== A remote attacker that is able to load a specially crafted font file is able to execute arbitrary code on the affected host. References ========== https://www.facebook.com/security/advisories/cve-2025-27363 https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d https://security.archlinux.org/CVE-2025-27363