FreeType Out-of-Bounds Write Vulnerability in Versions Through 2.13.0 Allowing Arbitrary Code Execution

A vulnerability exists in FreeType versions through 2.13.0, related to an out-of-bounds write when parsing font subglyph structures from TrueType GX and variable font files. The issue arises because the code improperly assigns a signed short value to an unsigned long, leading to a buffer overflow. This flaw allows the code to write up to six signed long integers out of bounds, potentially causing arbitrary code execution. There are indications that this vulnerability may have been exploited in the wild.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by loading a crafted TrueType GX or variable font file into an application that uses FreeType for font rendering. The vulnerable FreeType version must be 2.13.0 or below. When the font is processed, the out-of-bounds write occurs, allowing for potential code execution.

Remediation

Users can upgrade to FreeType version 2.13.3 or later, which addresses this vulnerability. For those using older versions, a backport of the necessary fixes is available in the latest Debian LTS update.