freetype: patch CVE-2025-27363
From [1]:
An out of bounds write exists in FreeType versions 2.13.0 and below
(newer versions of FreeType are not vulnerable) when attempting to
parse font subglyph structures related to TrueType GX and variable font
files. The vulnerable code assigns a signed short value to an unsigned
long and then adds a static value causing it to wrap around and
allocate too small of a heap buffer. The code then writes up to 6
signed long integers out of bounds relative to this buffer. This may
result in arbitrary code execution. This vulnerability may have been
exploited in the wild.
Per [2] patches [3] and [4] are needed.
Unfortunately, the code changed since 2.11.1 and it's not possible to do
backport without significant changes. Since Debian and Ubuntu have
already patched this CVE, take the patch from them - [5]/[6].
The patch is a combination of patch originally proposed in [7] and
follow-up patch [4].
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-27363
[2] https://gitlab.freedesktop.org/freetype/freetype/-/issues/1322
[3] https://gitlab.freedesktop.org/freetype/freetype/-/commit/
ef636696524b081f1b8819eb0c6a0b932d35757d
[4] https://gitlab.freedesktop.org/freetype/freetype/-/commit/
73720c7c9958e87b3d134a7574d1720ad2d24442
[5] https://git.launchpad.net/ubuntu/+source/freetype/commit/?h=applied/ubuntu/jammy-devel&id=
fc406fb02653852dfa5979672e3d8d56ed329186
[6] https://salsa.debian.org/debian/freetype/-/commit/
13295227b5b0d717a343f276d77ad3b89fcc6ed0
[7] https://www.openwall.com/lists/oss-security/2025/03/14/3
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
projects / thirdparty / openembedded / openembedded-core-contrib.git / commit
