Welcome, Guest. Please login or register. Did you miss your activation email?

Author Topic: FreeType "All users should update immediately."  (Read 979 times)

0 Members and 1 Guest are viewing this topic.

tillplusplus

  • Newbie
  • *
  • Posts: 1
    • View Profile
FreeType "All users should update immediately."
« on: August 27, 2021, 11:28:00 pm »
Hello  :) ,
i was just looking at the FreeType Website and found:

"FreeType 2.10.4 2020-10-20

This is an emergency release, fixing a severe vulnerability in embedded PNG bitmap handling (see here for more).

All users should update immediately."


I then proceed to look into the version, that SFML uses, which is from 2008.
Does this FreeType vulnerability effect SFML?

Nexus

  • Moderator
  • Hero Member
  • *****
  • Posts: 6259
  • Thor Developer
    • View Profile
    • Bromeon
Re: FreeType "All users should update immediately."
« Reply #1 on: September 02, 2021, 11:06:18 am »
Hey, thanks for the heads up!

According to the release page:
Quote
I. IMPORTANT BUG FIXES

  - A heap buffer overflow has been found  in the handling of embedded
    PNG bitmaps, introduced in FreeType version 2.6.

      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999

    If you  use option  FT_CONFIG_OPTION_USE_PNG  you  should  upgrade
    immediately.

We don't use that option in SFML. Explanation can be found in extlibs/headers/freetype2/config/ftoption.h:
  /*************************************************************************/
  /*                                                                       */
  /* PNG bitmap support.                                                   */
  /*                                                                       */
  /*   FreeType now handles loading color bitmap glyphs in the PNG format. */
  /*   This requires help from the external libpng library.  Uncompressed  */
  /*   color bitmaps do not need any external libraries and will be        */
  /*   supported regardless of this configuration.                         */
  /*                                                                       */
  /*   Define this macro if you want to enable this `feature'.             */
  /*                                                                       */
/* #define FT_CONFIG_OPTION_USE_PNG */
 

That being said, this is definitely not the only vulnerability that was fixed in our C dependencies, and it would probably make sense to update all of them. What do others think?
Zloxx II: action platformer
Thor Library: particle systems, animations, dot products, ...
SFML Game Development: first SFML book

 

anything