SFML community forums

General => SFML development => Topic started by: tillplusplus on August 27, 2021, 11:28:00 pm

Title: FreeType "All users should update immediately."
Post by: tillplusplus on August 27, 2021, 11:28:00 pm: Hello :) ,
i was just looking at the FreeType Website and found:

"FreeType 2.10.4 2020-10-20

This is an emergency release, fixing a severe vulnerability in embedded PNG bitmap handling (see here for more).

All users should update immediately."

I then proceed to look into the version, that SFML uses, which is from 2008.
Does this FreeType vulnerability effect SFML?
Title: Re: FreeType "All users should update immediately."
Post by: Nexus on September 02, 2021, 11:06:18 am: Hey, thanks for the heads up!

According to the release page (https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/):
Quote
I. IMPORTANT BUG FIXES

- A heap buffer overflow has been found in the handling of embedded
PNG bitmaps, introduced in FreeType version 2.6.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999

If you use option FT_CONFIG_OPTION_USE_PNG you should upgrade
immediately.

We don't use that option in SFML. Explanation can be found in extlibs/headers/freetype2/config/ftoption.h:
/*************************************************************************/
/* */
/* PNG bitmap support. */
/* */
/* FreeType now handles loading color bitmap glyphs in the PNG format. */
/* This requires help from the external libpng library. Uncompressed */
/* color bitmaps do not need any external libraries and will be */
/* supported regardless of this configuration. */
/* */
/* Define this macro if you want to enable this `feature'. */
/* */
/* #define FT_CONFIG_OPTION_USE_PNG */

That being said, this is definitely not the only vulnerability that was fixed in our C dependencies, and it would probably make sense to update all of them. What do others think?