Security update for freetype2

Announcement ID:	SUSE-SU-2026:20730-1
Release Date:	2026-03-16T13:24:14Z
Rating:	moderate
References:	bsc#1252148 bsc#1259118
Cross-References:	CVE-2026-23865
CVSS scores:	CVE-2026-23865 ( SUSE ): 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2026-23865 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2026-23865 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Affected Products:	SUSE Linux Micro 6.0

An update that solves one vulnerability and has one fix can now be installed.

Description:

This update for freetype2 fixes the following issue:

Update to freetype2 2.14.2:

• CVE-2026-23865: Integer overflow in the tt_var_load_item_variation_store function (bsc#1259118).

Changelog:

• Several changes related to LCD filtering are implemented to achieve better performance and encourage sound practices.
• Instead of blanket LCD filtering over the entire bitmap, it is now applied only to non-zero spans using direct rendering. This speeds up the ClearType-like rendering by more than 40% at sizes above 32 ppem.
• Setting the filter weights with FT_Face_Properties is no longer supported. The default and light filters are optimized to work with any face.
• The legacy libXft LCD filter algorithm is no longer provided.
• The italic angle in PS_FontInfo is now stored as a fixed-point value in degrees for all Type 1 fonts and their derivatives, consistent with CFF fonts and common practices. The broken underline position and thickness values are fixed for CFF fonts.
• The x field in the FT_Span structure is now unsigned.
• Demo program ftgrid got an option -m to select a start character to display.
• Similarly, demo program ftmulti got an option -m to select a text string for rendering.
• Option -d in the demo program ttdebug is now called -a, expecting a comma-separated list of axis values. The user interface is also slightly improved.
• The ftinspect demo program can now be compiled with Qt6, too.
• The auto-hinter got new abilities. It can now better separate diacritic glyphs from base glyphs at small sizes by artificially moving diacritics up (or down) if necessary
• Tilde accent glyphs get vertically stretched at small sizes so that they don't degenerate to horizontal lines.
• Diacritics directly attached to a base glyph (like the ogonek in character 'ę') no longer distort the shape of the base glyph
• The TrueType instruction interpreter was optimized to produce a 15% gain in the glyph loading speed.
• Handling of Variation Fonts is now considerably faster
• TrueType and CFF glyph loading speed has been improved by 5-10% on modern 64-bit platforms as a result of better handling of fixed-point multiplication.
• The BDF driver now loads fonts 75% faster.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Micro 6.0
  zypper in -t patch SUSE-SLE-Micro-6.0-623=1

Package List:

• SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
  • freetype2-debugsource-2.14.2-1.1
  • libfreetype6-2.14.2-1.1
  • libfreetype6-debuginfo-2.14.2-1.1

References:

• https://www.suse.com/security/cve/CVE-2026-23865.html
• https://bugzilla.suse.com/show_bug.cgi?id=1252148
• https://bugzilla.suse.com/show_bug.cgi?id=1259118