CVE-2025-27363: out of bounds write in FreeType <= 2.13.0

[Michel Lind <michel () michel-slm name>]

severity: high (CVSS 3.1: 8.1)

Affected versions: <= 2.13.0

Description:

An out of bounds write exists in FreeType versions 2.13.0 and below
when attempting to parse font subglyph structures related to TrueType
GX and variable font files. The vulnerable code assigns a signed short
value to an unsigned long and then adds a static value causing it to
wrap around and allocate too small of a heap buffer. The code then
writes up to 6 signed long integers out of bounds relative to this
buffer. This may result in arbitrary code execution. This vulnerability
may have been exploited in the wild.

https://www.facebook.com/security/advisories/cve-2025-27363

This commit fixes most of the issue - except `limit` is still signed
short - but needs to be redone if you're backporting to 2.10.4

https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d

Per repology some Linux distributions are affected

https://repology.org/project/freetype/versions

- Amazon Linux 2
- Debian stable / Devuan
- RHEL / CentOS Stream / Alma Linux / etc. 8 and 9
- GNU Guix
- Mageia
- OpenMandriva
- openSUSE Leap
- Slackware
- Ubuntu 22.04

(The list above might not be exhaustive)

Best regards,

-- 
 _o) Michel Lind
_( ) identities:
https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
     README:     https://fedoraproject.org/wiki/User:Salimma#README

Attachment: signature.asc
Description: This is a digitally signed message part