Amazon Linux 2023 Security Advisory: ALAS2023-2025-925
Advisory Released Date: 2025-04-14
Advisory Updated Date: 2025-04-14
Severity:
Important
Issue Overview:
An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild. (CVE-2025-27363)
Affected Packages:
freetype
Issue Correction:
Run dnf update freetype --releasever 2023.7.20250331 to update your system.
New Packages:
aarch64:
freetype-2.13.2-5.amzn2023.0.1.aarch64
freetype-demos-debuginfo-2.13.2-5.amzn2023.0.1.aarch64
freetype-debuginfo-2.13.2-5.amzn2023.0.1.aarch64
freetype-demos-2.13.2-5.amzn2023.0.1.aarch64
freetype-devel-2.13.2-5.amzn2023.0.1.aarch64
freetype-debugsource-2.13.2-5.amzn2023.0.1.aarch64
src:
freetype-2.13.2-5.amzn2023.0.1.src
x86_64:
freetype-debuginfo-2.13.2-5.amzn2023.0.1.x86_64
freetype-2.13.2-5.amzn2023.0.1.x86_64
freetype-demos-debuginfo-2.13.2-5.amzn2023.0.1.x86_64
freetype-demos-2.13.2-5.amzn2023.0.1.x86_64
freetype-devel-2.13.2-5.amzn2023.0.1.x86_64
freetype-debugsource-2.13.2-5.amzn2023.0.1.x86_64