.freetype.metadata

@@ -0,0 +1,3 @@
+220c82062171c513e4017c523d196933c9de4a7d SOURCES/freetype-2.9.1.tar.bz2
+bb6c973f9fef972ad4ecc03bc09ed676b8dc0d59 SOURCES/freetype-doc-2.9.1.tar.bz2
+45704d7b75c4f9fdd6a9b3787918e8220b36aa77 SOURCES/ft2demos-2.9.1.tar.bz2

.gitignore

@@ -1,6 +1,3 @@
 SOURCES/freetype-2.9.1.tar.bz2
 SOURCES/freetype-doc-2.9.1.tar.bz2
 SOURCES/ft2demos-2.9.1.tar.bz2
-/freetype-2.9.1.tar.bz2
-/freetype-doc-2.9.1.tar.bz2
-/ft2demos-2.9.1.tar.bz2

SOURCES/freetype-2.9.1-cve-2025-27363.patch

@@ -0,0 +1,27 @@
+diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
+index 39d9c3f..d36cbe9 100644
+--- a/src/truetype/ttgload.c
++++ b/src/truetype/ttgload.c
+@@ -1840,7 +1840,7 @@
+         short        i, limit;
+         FT_SubGlyph  subglyph;
+
+-        FT_Outline  outline;
++        FT_Outline  outline = { 0, 0, NULL, NULL, NULL, 0 };
+         FT_Vector*  points   = NULL;
+         char*       tags     = NULL;
+         short*      contours = NULL;
+@@ -1848,6 +1848,13 @@
+
+         limit = (short)gloader->current.num_subglyphs;
+
++        /* make sure this isn't negative as we're going to add 4 later */
++        if ( limit < 0 )
++        {
++          error = FT_THROW( Invalid_Argument );
++          goto Exit;
++        }
++
+         /* construct an outline structure for              */
+         /* communication with `TT_Vary_Apply_Glyph_Deltas' */
+         outline.n_points   = (short)( gloader->current.num_subglyphs + 4 );

SPECS/freetype.spec

@@ -3,7 +3,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype
 Version: 2.9.1
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
 Group: System Environment/Libraries
 URL: http://www.freetype.org
@@ -42,6 +42,11 @@ Patch11:  freetype-2.9.1-properly-guard-face-index.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2077985
 Patch12:  freetype-2.9.1-guard-face-size.patch
 
+# CVE-2025-27363
+# https://access.redhat.com/security/cve/cve-2025-27363
+# Patch by Marc Deslauriers of Canonical
+Patch13: freetype-2.9.1-cve-2025-27363.patch
+
 BuildRequires: libX11-devel
 BuildRequires: libpng-devel
 BuildRequires: zlib-devel
@@ -106,6 +111,7 @@ popd
 %patch10 -p1 -b .windres
 %patch11 -p1 -b .properly-guard-face-index
 %patch12 -p1 -b .guard-face-size
+%patch13 -p1 -b .cve-2025-27363
 
 %build
 
@@ -218,6 +224,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.{a,la}
 %{_mandir}/man1/*
 
 %changelog
+* Fri Mar 14 2025 Jonathan Wright <jonathan@almalinux.org> - 2.9.1-10
+- Fix CVE-2025-27363 Out-of-bounds Write
+- Resolves: RHEL-83094
+
 * Fri May 27 2022 Marek Kasik <mkasik@redhat.com> - 2.9.1-9
 - Guard face->size
 - Resolves: #2079279

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-8
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: desktop-qe.desktop-ci.tier1-gating.functional}

sources

@@ -1,3 +0,0 @@
-SHA512 (freetype-2.9.1.tar.bz2) = 856766e1f3f4c7dc8afb2b5ee991138c8b642c6a6e5e007cd2bc04ae58bde827f082557cf41bf541d97e8485f7fd064d10390d1ee597f19d1daed6c152e27708
-SHA512 (freetype-doc-2.9.1.tar.bz2) = 1668f02f67e6e047df04e5e2fccb564cd9af780ec9b3c4878109868302a83eaec7b627390ff82c3e875122400e6f20fc690936a1e4964dfa65143e5309fa22d4
-SHA512 (ft2demos-2.9.1.tar.bz2) = 38bee59184b20c2eb983deaa5c1f241e31c1b4793e47dc06b1b419601489cfece3b11fde4cf4fb6c5af12254ad0c1ce9a1547885c208e8e715655e9c48f22a46