OOB write fixes for CVE-2025-27363

Merge Request Required Information

Summary of Changes

Simplified fix for CVE-2025-27363 from Marc Deslauriers (Ubuntu) https://www.openwall.com/lists/oss-security/2025/03/14/3

amended by Jonathan Wright (Alma) to apply cleanly to EL9 and with the initialization fix from https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d

suggested by a member of the Meta security team.

This has been tested against a POC crafted font (shared under embargo) to be sufficient to prevent the issue; we have concerns that trying to cherry-pick fixes from 2.13.x requires backporting a lot of commits (up to 4 identified so far) and is riskier than just fixing the specific issues:

• https://gitlab.freedesktop.org/freetype/freetype/-/commit/c71eb22dde1a3101891a865fdac20a6de814267d
• https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d
• https://gitlab.freedesktop.org/freetype/freetype/-/commit/73720c7c9958e87b3d134a7574d1720ad2d24442
• https://gitlab.freedesktop.org/freetype/freetype/-/commit/47103b2f195e0f9664c9470182f063cb7d41dc9f

Approved Development Ticket(s)

• https://issues.redhat.com/browse/RHEL-83104
• https://issues.redhat.com/browse/RHEL-83109

Click for formatting instructions

Please follow the CentOS Stream contribution documentation for how to file this ticket and have it approved.

List tickets each on their own line of this description using the format "Resolves: RHEL-76229", "Related: RHEL-76229" or "Reverts: RHEL-76229", as appropriate.

Starting check jobs. Status at https://centos.softwarefactory-project.io/zuul/t/centos/status

added 1 commit

• 56abe5aa - TrueType clean up and unsigned fixes for CVE-2025-27363

Compare with previous version

Starting check jobs. Status at https://centos.softwarefactory-project.io/zuul/t/centos/status

Build succeeded. https://centos.softwarefactory-project.io/zuul/t/centos/buildset/a2d48244027f488eae3efec1c667a78a

• mock-build https://centos.softwarefactory-project.io/zuul/t/centos/build/335d936c09c04a21a1fd35c009b05786 : SUCCESS in 5m 03s
• rpm-rpminspect https://centos.softwarefactory-project.io/zuul/t/centos/build/0f1c8534f6704f7b90bbc3c2b66be674 : FAILURE in 3m 37s (non-voting)
• check-for-sti-tests https://centos.softwarefactory-project.io/zuul/t/centos/build/5c60d41c5cfe41a3ad86ef1417b74e4f : SUCCESS in 15s (non-voting)
• check-for-tmt-tests https://centos.softwarefactory-project.io/zuul/t/centos/build/1e099429758745db91dbdf7cc079277e : SUCCESS in 15s (non-voting) Skipped 2 jobs

approved this merge request

Build succeeded. https://centos.softwarefactory-project.io/zuul/t/centos/buildset/e6c9070c0d41407bbdb0c64e9783a99d

• mock-build https://centos.softwarefactory-project.io/zuul/t/centos/build/60b14a97f6954d6d864ae697d8f22982 : SUCCESS in 5m 21s
• rpm-rpminspect https://centos.softwarefactory-project.io/zuul/t/centos/build/7b07baf65fa5415fb728564bfbd2164a : FAILURE in 3m 36s (non-voting)
• check-for-sti-tests https://centos.softwarefactory-project.io/zuul/t/centos/build/d44d634c14c34e9e899bc63f6c283ed5 : SUCCESS in 15s (non-voting)
• check-for-tmt-tests https://centos.softwarefactory-project.io/zuul/t/centos/build/2ea4b4c299bc413abad86e1f5568b5bb : SUCCESS in 16s (non-voting) Skipped 2 jobs

Looks like only the rpminspect fails (which I think is unrelated to this MR), but for completeness, I tried building it in EPEL 9 and like the mock build here it passes too

https://koji.fedoraproject.org/koji/taskinfo?taskID=130196822

Confirmed that the Hyperscale build of this commit works fine on a CentOS 9 VM after rebooting - no font rendering issues seen

https://cbs.centos.org/koji/buildinfo?buildID=59280

added 1 commit

• f17e315b - TrueType clean up and unsigned fixes for CVE-2025-27363

Compare with previous version

Starting check jobs. Status at https://centos.softwarefactory-project.io/zuul/t/centos/status

unapproved this merge request

I've updated this since with the patch applied, it turns out I missed some points -> outline.points when redoing the commit applied to 2.13.x. It builds now, doing manual testing on my c9s VM in a bit and will report back.

resolved all threads

resolved all threads

Build succeeded. https://centos.softwarefactory-project.io/zuul/t/centos/buildset/8fde85bf8cb542b085aa556716c0ac49

• mock-build https://centos.softwarefactory-project.io/zuul/t/centos/build/9bd8123979d54affbddf5a7c094ed3c8 : SUCCESS in 5m 33s
• rpm-rpminspect https://centos.softwarefactory-project.io/zuul/t/centos/build/327014667af3447882675447a7337892 : SUCCESS in 3m 24s (non-voting)
• check-for-sti-tests https://centos.softwarefactory-project.io/zuul/t/centos/build/6842062f2ffb44d7b3b3d299aa670286 : SUCCESS in 15s (non-voting)
• check-for-tmt-tests https://centos.softwarefactory-project.io/zuul/t/centos/build/17797da1b3e1439888ae6e7aa26badac : SUCCESS in 15s (non-voting) Skipped 2 jobs

approved this merge request

requested review from @mkasik

Finding no issues in testing.

LGTM.

Do hold on this, we need to also incorporate https://gitlab.freedesktop.org/freetype/freetype/-/commit/c71eb22dde1a3101891a865fdac20a6de814267d which fixes FT_QNEW_ARRAY