Amazon Linux 1 (EOL) Security Advisory: ALAS-2025-1976
Advisory Released Date: 2025-05-12
Advisory Updated Date: 2025-05-12
Severity:
Important
Issue Overview:
An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild. (CVE-2025-27363)
Affected Packages:
freetype
Issue Correction:
Run yum update freetype to update your system.
New Packages:
i686:
freetype-debuginfo-2.3.11-19.17.amzn1.i686
freetype-devel-2.3.11-19.17.amzn1.i686
freetype-demos-2.3.11-19.17.amzn1.i686
freetype-2.3.11-19.17.amzn1.i686
src:
freetype-2.3.11-19.17.amzn1.src
x86_64:
freetype-demos-2.3.11-19.17.amzn1.x86_64
freetype-debuginfo-2.3.11-19.17.amzn1.x86_64
freetype-devel-2.3.11-19.17.amzn1.x86_64
freetype-2.3.11-19.17.amzn1.x86_64