Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <69e0cf03.a70a0220.a47bc.d193@mx.google.com>
Date: Thu, 16 Apr 2026 04:58:59 -0700 (PDT)
From: yangjincheng1998@...il.com
To: oss-security@...ts.openwall.com
Subject: CVE-2025-27363: FontForge affected by FreeType heap-buffer-overflow;
 upstream maintainer declines under Community-guidelines #D1

Hello oss-security,

This is an information-only post documenting a downstream impact and
maintainer response for an existing, already-public CVE.

== CVE ==
CVE-2025-27363 -- FreeType <= 2.13.2 heap-buffer-overflow in
load_truetype_glyph(), src/truetype/ttgload.c (~line 1929).
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27363
Fix: FreeType 2.13.3, upstream commit a1e5a9df.

== Downstream impact: FontForge ==
FontForge (https://github.com/fontforge/fontforge) links FreeType to
parse and process font files. When built or run against FreeType
<= 2.13.2, FontForge inherits the heap-buffer-overflow when opening
a maliciously crafted TrueType font.

We confirmed the issue with AddressSanitizer against FreeType 2.13.0
(common in distributions that have not backported the fix):

  ==ERROR: AddressSanitizer: heap-buffer-overflow
   WRITE of size 16 at ttgload.c:1929 in load_truetype_glyph
   0 bytes to the right of 16-byte region allocated at ttgload.c:1909

Recommended action for distributors and packagers: ensure FontForge is
built/linked against FreeType >= 2.13.3, or apply the upstream fix
(commit a1e5a9df).

== Upstream maintainer response ==
We reported this downstream impact to FontForge upstream as
https://github.com/fontforge/fontforge/issues/5799 (2026-04-15).
The issue was closed within hours under "Community-guidelines #D1",
which states that the project does not accept security reports without
an accompanying fix PR.

Context: ZDI submitted 12 unrelated FontForge CVEs in 2025-12 and
received the same response
(https://github.com/fontforge/fontforge/issues/5706).

We post here so distributors and downstream packagers have a public,
independent record of the FontForge -> FreeType linkage status, and
can verify their own builds.

== Reproducer ==
Public PoC: https://github.com/francozappa/poc-CVE-2025-27363
Build/run FontForge against FreeType 2.13.0 or 2.13.2 with the PoC
TTF to reproduce.

Regards,
vulgraph
(Academic security research; PhD work on 1-day vulnerability
propagation across forks and downstream consumers.)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.