Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <d617f3e6-7e17-43f0-bb48-3969832627c4@canonical.com>
Date: Fri, 14 Mar 2025 08:55:06 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2025-27363: out of bounds write in FreeType <=
 2.13.0

Hi Michel,

On 2025-03-13 22:54, Michel Lind wrote:
> 
> The fixes I'm working with both the Meta security folks and the EL
> community (CentOS / AlmaLinux) can be tracked
> herehttps://gitlab.com/redhat/centos-stream/rpms/freetype/-/merge_requests/8/diffs

I think if you're removing the 4 "phantom points" from outline.n_point and 
outline.n_contours, you probably need to add them back in other places, like the 
parts you are missing from this patch does:

https://gitlab.freedesktop.org/freetype/freetype/-/commit/47103b2f195e0f9664c9470182f063cb7d41dc9f

Is there a reproducer available for this CVE? I was thinking of just doing a 
minimal fix for older freetype versions in Ubuntu, maybe something like this:

-- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -1957,6 +1957,13 @@

          limit = (short)gloader->current.num_subglyphs;

+        /* make sure this isn't negative as we're going to add 4 later */
+        if ( limit < 0 )
+        {
+          error = FT_THROW( Invalid_Argument );
+          goto Exit;
+        }
+
          /* construct an outline structure for              */
          /* communication with `TT_Vary_Apply_Glyph_Deltas' */
          outline.n_points   = (short)( gloader->current.num_subglyphs + 4 );


Marc.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.