Meta has warned about a dangerous vulnerability in FreeType, a widely used font-rendering library that many applications depend on. Hackers may already have exploited it in the wild. Some Linux distributions include vulnerable versions.
The flaw's severity is high and carries a score of 8.1 out of 10. It enables attackers to run arbitrary code on vulnerable systems, attempting to render certain types of fonts.
“An out-of-bounds write (a type of memory vulnerability) exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable),” Facebook said in the security advisory.
It further explains that the memory bug lies in a miscalculation of how much memory is needed to process certain types of font files – TrueType GX and variable fonts. The software ends up allocating too little memory, which causes code to write “up to six signed long integers out of bounds” relative to the allocated buffer.
“This may result in arbitrary code execution. This vulnerability may have been exploited in the wild,” Facebook noted.
Freetype 2.13.0, the last vulnerable version, was released on February 9th, 2023, and three months later replaced with a newer version.
However, many systems still depend on older software libraries to render fonts.
According to the oss-security mailing list, multiple Linux distributions and software packages include older versions of FreeType, including Ubuntu 22.04, Amazon Linux 2, Debian stable / Devuan, RHEL / CentOS Stream / Alma Linux / etc. 8 and 9, GNU Guix, Mageia, OpenMandriva, openSUSE Leap, Slackware, Debian Bookworm.
Web browsers already include newer versions of FreeType.
The bug would not be too concerning if people only used trusted fonts, as used to be routine. However, webpages now embed fonts, and the affected “variable font files” format is widely used in browsers. It allows parametric adjustment of font properties,” one security researcher explained.
Your email address will not be published. Required fields are markedmarked