update third_party/freetype2 to 2.6.3 or higher |
||||||||
Issue descriptionCurrent version of freetype library under https://code.google.com/p/chromium/codesearch#chromium/src/third_party/freetype2/ is 2.4.8 which has been released in 2011. This version is exteremly out of date and contains more than 50+ known security bugs. Some references are here: https://codereview.chromium.org/1776323002/ If this software isn't used in Chromium and an update doesn't make sense, please consider a possibility to remove it from repository.
,
Apr 1 2016
,
May 24 2016
,
May 27 2016
,
May 30 2016
,
Jun 30 2016
I've made an attempt to roll version 2.6.3, now waiting for trybots result: https://codereview.chromium.org/2113713002/ IIUC, the main point against the update is "We do not ship freetype to our users". Anyway, we want to keep our users safer. We should care about libraries which are used by Chrome even if we don't ship them. Fuzzing of up-to-date fretype2 version at ClusterFuzz is very important for that.
,
Mar 20 2017
This is now at 2.7.1+.
,
Mar 21 2017
,
Jun 27 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by mmoroz@chromium.org
, Apr 1 2016