Описание
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
A flaw was found in FreeType. In affected versions, an out-of-bounds write condition may be triggered when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value, causing it to wrap around and allocate a heap buffer that is too small. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This issue could result in arbitrary code execution or other undefined behavior.
Отчет
This vulnerability stems from improper handling of data types within the FreeType library during the parsing of font subglyph structures. This could causes incorrect calculations that result in heap buffer allocation being too small. This could allow the library write data beyond the allocated buffer, affecting adjacent memory areas, leading into arbitrary code executions compromising the entire system and system stability such as misleading behaviors in applications which relies on FreeType, or causing possible crashes impacting the entire system.
Меры по смягчению последствий
By restricting the sources from which font files can be loaded allowing only fonts from trusted sources, as well as validating the input for font files to avoid malformed font structures or any data which could trigger the vulnerability would reduce the risk and mitigate this vulnerability until the fix is provided.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of OpenJDK 11 | java-11-openjdk | Not affected | ||
| Red Hat build of OpenJDK 17 | java-17-openjdk | Not affected | ||
| Red Hat build of OpenJDK 21 | java-21-openjdk-rhel7 | Not affected | ||
| Red Hat Enterprise Linux 10 | freetype | Not affected | ||
| Red Hat Enterprise Linux 10 | gjs | Not affected | ||
| Red Hat Enterprise Linux 10 | java-21-openjdk | Not affected | ||
| Red Hat Enterprise Linux 6 | freetype | Out of support scope | ||
| Red Hat Enterprise Linux 7 | thunderbird | Not affected | ||
| Red Hat Enterprise Linux 8 | java-17-openjdk | Not affected | ||
| Red Hat Enterprise Linux 8 | java-21-openjdk | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
An out of bounds write exists in FreeType versions 2.13.0 and below (n ...
EPSS
8.1 High
CVSS3