Arch Linux Security Advisory ASA-202505-11
==========================================

Severity: High
Date    : 2025-05-19
CVE-ID  : CVE-2025-27363
Package : freetype2
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2877

Summary
=======

The package freetype2 before version 2.13.3-3 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 2.13.3-3.

# pacman -Syu "freetype2>=2.13.3-3"

The problem has been fixed upstream in version 2.13.3.

Workaround
==========

None.

Description
===========

An out of bounds write exists in FreeType versions 2.13.0 and below
when attempting to parse font subglyph structures related to TrueType
GX and variable font files. The vulnerable code assigns a signed short
value to an unsigned long and then adds a static value causing it to
wrap around and allocate too small of a heap buffer. The code then
writes up to 6 signed long integers out of bounds relative to this
buffer. This may result in arbitrary code execution. This vulnerability
may have been exploited in the wild.

Impact
======

A remote attacker that is able to load a specially crafted font file is
able to execute arbitrary code on the affected host.

References
==========

https://www.facebook.com/security/advisories/cve-2025-27363
https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d
https://security.archlinux.org/CVE-2025-27363