Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Gentoo: GLSA-202505-07 critical: FreeType remote execution

gentoo
Calendar Grey May 14, 2025
Dist Gentoo Esm H88
A critical flaw in FreeType affecting Gentoo could lead to remote code execution; updating is necessary to mitigate the risk.
A vulnerability has been discovered in FreeType, which can lead to remote code execution.

Summary

Multiple vulnerabilities have been discovered in FreeType. Please review the CVE identifiers referenced below for details.

Topics%20covered

Topics Covered

security advisory Gentoo high severity code execution remote code FreeType

Resolution

All FreeType users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/freetype-2.13.1"

References

[ 1 ] CVE-2025-27363 https://nvd.nist.gov/vuln/detail/CVE-2025-27363

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202505-07
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity
critical
Lowest
Low
Medium
High
Critical

Severity: High
Title: FreeType: Remote Code Execution
Date: May 14, 2025
Bugs: #951286
ID: 202505-07

Topics%20covered

Topics Covered

security advisory Gentoo high severity code execution remote code FreeType

Synopsis

A vulnerability has been discovered in FreeType, which can lead to remote code execution.

Background

FreeType is a high-quality and portable font engine.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

Package Vulnerable Unaffected ------------------- ------------ ------------ media-libs/freetype < 2.13.1 >= 2.13.1

Impact

An out of bounds write exists in FreeType when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Workaround

There is no known workaround at this time.

Your message here