FreeType "All users should update immediately."

[tillplusplus]

Hello  ,
i was just looking at the FreeType Website and found:

"FreeType 2.10.4 2020-10-20

This is an emergency release, fixing a severe vulnerability in embedded PNG bitmap handling (see here for more).

All users should update immediately."

I then proceed to look into the version, that SFML uses, which is from 2008.
Does this FreeType vulnerability effect SFML?

[Nexus]

Hey, thanks for the heads up!

According to the release page:

I. IMPORTANT BUG FIXES

  - A heap buffer overflow has been found  in the handling of embedded
    PNG bitmaps, introduced in FreeType version 2.6.

      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999

    If you  use option  FT_CONFIG_OPTION_USE_PNG  you  should  upgrade
    immediately.

We don't use that option in SFML. Explanation can be found in extlibs/headers/freetype2/config/ftoption.h:

  /*************************************************************************/
  /*                                                                       */
  /* PNG bitmap support.                                                   */
  /*                                                                       */
  /*   FreeType now handles loading color bitmap glyphs in the PNG format. */
  /*   This requires help from the external libpng library.  Uncompressed  */
  /*   color bitmaps do not need any external libraries and will be        */
  /*   supported regardless of this configuration.                         */
  /*                                                                       */
  /*   Define this macro if you want to enable this `feature'.             */
  /*                                                                       */
/* #define FT_CONFIG_OPTION_USE_PNG */
 

That being said, this is definitely not the only vulnerability that was fixed in our C dependencies, and it would probably make sense to update all of them. What do others think?