Publish GHSA-2mhw-8qcg-gr96

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-2mhw-8qcg-gr96/GHSA-2mhw-8qcg-gr96.json

@@ -0,0 +1,72 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2mhw-8qcg-gr96",
+  "modified": "2026-03-19T18:10:25Z",
+  "published": "2026-03-19T18:10:25Z",
+  "aliases": [],
+  "summary": "skia-python vendors vulnerable libfreetype because of pinned cibuildwheel version",
+  "details": "### Impact\n\nThe Linux wheels for skia-python vendor a vulnerable version of\nlibfreetype that is affected by CVE-2025-27363 [1].\n\nThe root cause is a chain of unfortunate events:\n\n1. skia-python builds wheels using pinned pypa/cibuildwheel@2.21.3 [2]\n\n2. cibuildwheel 2.21.3 in turn pins manylinux container images [3]\n\n3. In these images, version 2.9.1-9.el8 of RedHat package freetype is\n*preinstalled*. This package version is vulnerable and has since been\npatched in 2.9.1-10.\n\n4. During the skia-python Linux build, libfreetype is vendored from the\nsystem, resulting in skia-python.libs/libfreetype-29a7443c.so.6.16.1\n\n[ To find the provenance of your vendored libfreetype, we extracted the\n8-character hash of the original binary file that is added during the\nbuild process (29a7443c), and matched it against our database of hashes\nall historic Red Hat, Debian and Ubuntu releases of freetype. ]\n\n5. Because freetype is only a *transitive* dependency of the packages\nexplicitly installed by the build script [4], it is not upgraded to the\npatched version [4].\n\n5. As a result, the published wheels embed a vulnerable libfreetype,\neven though patched packages are available upstream.\n\nThis appears to be a broader manylinux ecosystem issue. The base images\ndo not enforce that `yum update` runs on container start, so\npreinstalled libraries may remain vulnerable indefinitely.\n\n\n### Patches\n\n> In the case of skia-python, the solution is to explicitly install freetype in the build process and rebuild the wheels.\n\nThe original report was suggesting the above, but in the current `build_Linux.sh` script, the patched `freetype-devel` version 2.9.1-10 gets installed as a dependency. It's just that we need to rebuild the wheel for a new release.\n\n### Workarounds\n\nUsers must upgrade the wheel package after release.\n\n### References\n\n1. https://nvd.nist.gov/vuln/detail/CVE-2025-27363\n2. https://github.com/kyamagu/skia-python/blob/9ffb045811f9b5508e152302d5b81aadca6edd8d/.github/workflows/ci.yml#L38\n3. https://github.com/pypa/cibuildwheel/blob/v2.21.3/cibuildwheel/resources/pinned_docker_images.cfg\n4. https://github.com/kyamagu/skia-python/blob/9ffb045811f9b5508e152302d5b81aadca6edd8d/scripts/build_Linux.sh#L6",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "skia-python"
+      },
+      "versions": [
+        "144.0"
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "skia-python"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "144.0.post1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 138.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/kyamagu/skia-python/security/advisories/GHSA-2mhw-8qcg-gr96"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27363"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/kyamagu/skia-python"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1395",
+      "CWE-787"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-19T18:10:25Z",
+    "nvd_published_at": null
+  }
+}