Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <f5c89672-d78a-459e-889f-6f53464493cb@oracle.com>
Date: Tue, 3 Mar 2026 14:21:43 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Announcing FreeType 2.14.2, fixes CVE-2026-23865

While the announcement below says "A bunch of potential security problems have
been found.  All users should update." the Meta CNA has issued CVE-2026-23865,
stating:

> Description: 
> 
> An integer overflow in the tt_var_load_item_variation_store function of the
> Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds
> read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts.
> This issue is fixed in version 2.14.2.
> 
> Affected Version Information:
> 
>     FreeType (FreeType)
>         Default Status: affected
>         affected from 2.13.2 through 2.13.3
>         affected from 2.14.0 through 2.14.1
> 
> References:
> 
>     https://gitlab.com/freetype/freetype/-/commit/fc85a255849229c024c8e65f536fe1875d84841c
>     https://sourceforge.net/projects/freetype/files/freetype2/2.14.2/


-------- Forwarded Message --------
Subject: Announcing FreeType 2.14.2
Date: Sun, 1 Mar 2026 20:46:54 +0000
From: Werner LEMBERG <wl@....org>
To: freetype-announce@...gnu.org, freetype@...gnu.org, freetype-devel@...gnu.org


FreeType 2.14.2 has been released.

It is available from

     https://savannah.nongnu.org/download/freetype/

or

     https://sourceforge.net/projects/freetype/files/

The latter site also holds older versions of the FreeType library.

See below for the relevant snippet from the CHANGES file.

Enjoy!


    Werner


PS: Downloads from  savannah.nongnu.org  will redirect to your nearest
     mirror site.   Files on  mirrors may  be subject to  a replication
     delay   of   up   to   24   hours.   In   case   of  problems  use
     https://download-mirror.savannah.gnu.org/releases/


----------------------------------------------------------------------


https://www.freetype.org


FreeType 2  is a software  font engine that  is designed to  be small,
efficient,  highly   customizable,  and  portable   while  capable  of
producing high-quality output (glyph images) of most vector and bitmap
font formats.

Note that  FreeType 2 is  a font service  and doesn't provide  APIs to
perform higher-level features, like text layout or graphics processing
(e.g.,  colored  text  rendering,  'hollowing',  etc.).   However,  it
greatly simplifies these tasks by providing a simple, easy to use, and
uniform interface to access the content of font files.

FreeType  2  is  released  under  two open-source  licenses:  our  own
BSD-like FreeType  License and the  GPL.  It can  thus be used  by any
kind of projects, be they proprietary or not.


----------------------------------------------------------------------


You  can use  a  `.sig` file  to verify  that  the corresponding  file
(without the  `.sig` suffix)  is intact.  First,  be sure  to download
both  the `.sig`  file and  the  corresponding archive.   Then, run  a
command like this:

   gpg --verify freetype-2.14.2.tar.gz.sig

If that command fails because you  don't have the required public key,
execute

   gpg --keyserver pgp.mit.edu --recv-keys BE6C3AAC63AD8E3F

to import it, then rerun the `gpg --verify` command.

SHA1 file checksums:

ad090dafb29135d08665eba400a1b1b66edd7313  freetype-2.14.2.tar.gz
28200b8f8df5a524f476bdacb20f05da1c33280c  freetype-2.14.2.tar.xz
cde32902a8bffed4c855570bc86a2584fa373ff8  ft2142.zip
dac409e7009221f14b9367d4581d54a895bfe624  ft2demos-2.14.2.tar.gz
cccaa9ec2e4327901fafd6e830885dc9131d9c2d  ft2demos-2.14.2.tar.xz
c04d9c5ef4d929185c01d5f63162a4656578fd14  ftdmo2142.zipA bunch of potential security problems have been found.  All users
     should update.
aca81e3c7bb5793b957c2d4ff61e58ad726b00a5  freetype-doc-2.14.2.tar.gz
adf5448cb668073545ba87b23cff21a08b56d3de  freetype-doc-2.14.2.tar.xz
4eeadfe25683500562a31f38920a24867e178f52  ftdoc2142.zip

SHA256 file checksums:

752c2671f85c54a84b7f0dd2b5cd26b6b741117033886ffbc5ac89a68464b848  freetype-2.14.2.tar.gz
4b62dcab4c920a1a860369933221814362e699e26f55792516d671e6ff55b5e1  freetype-2.14.2.tar.xz
ad3aed6fa521148de639aceb6ac7db25554c68ee122f086232dd33a327175eb1  ft2142.zip
fd63fabb75302b71a33f97dbf14e658309985569ed0eaac6355dd8862db65ff2  ft2demos-2.14.2.tar.gz
ae9ed4b095e73a3fbdb90363c138ea62ac4b0f55aa4bb345b9b2458783f9284f  ft2demos-2.14.2.tar.xz
94f7ecdd05720bde3f15feae9bbf1e885640e97c06efc75c4badaaa6691a0b06  ftdmo2142.zip
5bf511f318256991d3fbe056f0a3fdb191c601c93f079edc7a4ee746e91ec1de  freetype-doc-2.14.2.tar.gz
0514edfd6a7b480f753aa48789d7112038a218b0b06afdca320c4bcbc2f66e6b  freetype-doc-2.14.2.tar.xz
d43d0ce570c8204299d35982b8eb66660d9bb945dbfbd1a00194f30c1225301d  ftdoc2142.zip


CHANGES BETWEEN 2.14.1 and 2.14.2 (2026-Mar-01)

   I. IMPORTANT CHANGES

   - Several  changes  related  to  LCD  filtering  are implemented  to
     achieve better performance and encourage sound practices.

     . Instead of  blanket LCD filtering over the entire bitmap,  it is
       now applied only to non-zero spans using direct rendering.  This
       speeds up the ClearType-like rendering by more than 40% at sizes
       above 32 ppem.

     . Setting the filter weights with FT_Face_Properties  is no longer
       supported.  The default and light filters  are optimized to work
       with any face.

     . The legacy libXft LCD filter algorithm is no longer provided.


   II. IMPORTANT BUG FIXES

   - A bunch of potential security problems have been found.  All users
     should update.

   - The italic angle in `PS_FontInfo`  is now stored  as a fixed-point
     value  in degrees  for  all  Type 1 fonts  and  their derivatives,
     consistent  with  CFF  fonts  and  common  practices.  The  broken
     underline position and thickness values are fixed for CFF fonts.


   III. MISCELLANEOUS

   - The `x` field in the `FT_Span` structure is now unsigned.

   - Demo  program  `ftgrid` got  an  option  `-m`  to select  a  start
     character to display.

   - Similarly, demo program  `ftmulti` got an option `-m`  to select a
     text string for rendering.

   - Option  `-d` in  the demo  program `ttdebug`  is now  called `-a`,
     expecting  a  comma-separated  list  of  axis  values.   The  user
     interface is also slightly improved.

   - The `ftinspect` demo program can now be compiled with Qt6, too.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.