From 61fdf05f0ed8e2332ee20a44e392a14cf71d2162 Mon Sep 17 00:00:00 2001
From: Michel Lind <salimma@centosproject.org>
Date: Fri, 14 Mar 2025 12:57:35 -0500
Subject: [PATCH] Fix for CVE-2025-27363 out-of-bound write vulnerability

Resolves: RHEL-83104
Resolves: RHEL-83109

Signed-off-by: Michel Lind <salimma@centosproject.org>
---
 freetype-2.10.4-cve-2025-27363.patch | 25 +++++++++++++++++++++++++
 freetype.spec                        | 19 ++++++++++++++++++-
 2 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 freetype-2.10.4-cve-2025-27363.patch

diff --git a/freetype-2.10.4-cve-2025-27363.patch b/freetype-2.10.4-cve-2025-27363.patch
new file mode 100644
index 0000000..5b4aa38
--- /dev/null
+++ b/freetype-2.10.4-cve-2025-27363.patch
@@ -0,0 +1,25 @@
+--- a/src/truetype/ttgload.c
++++ b/src/truetype/ttgload.c
+@@ -1944,7 +1944,7 @@
+         short        i, limit;
+         FT_SubGlyph  subglyph;
+ 
+-        FT_Outline  outline;
++        FT_Outline  outline = { 0, 0, NULL, NULL, NULL, 0 };
+         FT_Vector*  points    = NULL;
+         char*       tags      = NULL;
+         short*      contours  = NULL;
+@@ -1953,6 +1953,13 @@
+ 
+         limit = (short)gloader->current.num_subglyphs;
+ 
++        /* make sure this isn't negative as we're going to add 4 later */
++        if ( limit < 0 )
++        {
++          error = FT_THROW( Invalid_Argument );
++          goto Exit;
++        }
++
+         /* construct an outline structure for              */
+         /* communication with `TT_Vary_Apply_Glyph_Deltas' */
+         outline.n_points   = (short)( gloader->current.num_subglyphs + 4 );
diff --git a/freetype.spec b/freetype.spec
index 54d9458..e188fe9 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -4,7 +4,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype
 Version: 2.10.4
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
 URL: http://www.freetype.org
 Source:  http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.tar.xz
@@ -41,6 +41,17 @@ Patch10: freetype-2.10.4-properly-guard-face_index.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2077985
 Patch11: freetype-2.10.4-guard-face-size.patch
 
+# CVE-2025-27363
+# https://access.redhat.com/security/cve/cve-2025-27363
+# https://bugzilla.redhat.com/show_bug.cgi?id=2351357
+# https://issues.redhat.com/browse/RHEL-83104
+# https://issues.redhat.com/browse/RHEL-83109
+# Patch initially by Marc Deslauriers of Canonical
+# https://www.openwall.com/lists/oss-security/2025/03/14/3
+# Adjusted for EL9 by Jonathan Wright of AlmaLinux
+# and a member of the Meta security team
+Patch12: freetype-2.10.4-cve-2025-27363.patch
+
 BuildRequires:  gcc
 BuildRequires: libX11-devel
 BuildRequires: libpng-devel
@@ -108,6 +119,7 @@ popd
 %patch9 -p1 -b .avoid-invalid-face-index
 %patch10 -p1 -b .properly-guard-face_index
 %patch11 -p1 -b .guard-face-size
+%patch12 -p1 -b .cve-2025-27363
 
 %build
 
@@ -249,6 +261,11 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.{a,la}
 %{_mandir}/man1/*
 
 %changelog
+* Fri Mar 14 2025 Michel Lind <salimma@centosproject.org> - 2.10.4-10
+- Fix for CVE-2025-27363 out-of-bound write vulnerability
+- Resolves: RHEL-83104
+- Resolves: RHEL-83109
+
 * Tue May 31 2022 Marek Kasik <mkasik@redhat.com> - 2.10.4-9
 - Guard face->size
 - Resolves: #2079280
-- 
GitLab