Closed
Bug 1458905
Opened Last year
Closed Last year
Update freetype2 to 2.9.1
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Not set
Tracking
()
RESOLVED
FIXED
mozilla62
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | disabled |
| firefox59 | --- | unaffected |
| firefox60 | --- | wontfix |
| firefox61 | + | fixed |
| firefox62 | + | fixed |
People
(Reporter: tjr, Assigned: RyanVM)
References
Details
(Keywords: sec-audit, Whiteboard: [adv-main61-])
Attachments
(1 file)
|
1.66 MB,
patch
|
jfkthame
:
review+
RyanVM
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
This is a (semi-)automated bug making you aware that there is an available upgrade for an embedded third-party library. You can leave this bug open, and it will be updated if a newer version of the library becomes available. If you close it as WONTFIX, please indicate if you do not wish to receive any future bugs upon new releases of the library. freetype2 is currently at version 2.9 in mozilla-central, and the latest version of the library released is 2.9.1. I fetched the latest version of the library from http://download.savannah.gnu.org/releases/freetype/. It looks like this may be a security release, so tagging as such.
|
Assignee | |
Comment 1•Last year
|
||
We pretty aggressively backported the upstream security fixes to 60/61 as they landed: https://hg.mozilla.org/mozilla-central/file/default/modules/freetype2/README.moz-patches Tom, are you aware of any other scary-looking upstream commits that would justify taking this urgently? Otherwise, I'd prefer to wait until next week after we're clear of the Nightly soft freeze.
status-firefox59:
--- → unaffected
status-firefox60:
--- → affected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → affected
Flags: needinfo?(tom)
|
|
Assignee | |
Comment 3•Last year
|
||
Thanks, I'll take this next week. And also, since we don't ship Android builds off ESR60, I think we can wontfix this bug for there (since it's the release we ship which uses the in-tree FT2).
Assignee: nobody → ryanvm
|
|
Assignee | |
Comment 4•Last year
|
||
First attempt has bustage: https://treeherder.mozilla.org/logviewer.html#?job_id=177267288&repo=try&lineNumber=29189
|
|
Assignee | |
Comment 5•Last year
|
||
Easy fix. Just needed to remove two files from moz.build which were added to ftbase.c as #includes instead. https://treeherder.mozilla.org/#/jobs?repo=try&revision=4fd11122127493b1778846af5f99384235181436
Attachment #8973734 -
Flags: review?(jfkthame)
|
|
Assignee | |
Updated•Last year
|
|
||
Comment 6•Last year
|
||
Comment on attachment 8973734 [details] [diff] [review] update freetype to version 2.9.1 Review of attachment 8973734 [details] [diff] [review]: ----------------------------------------------------------------- LGTM -- after reading the entire patch line-by-line, obviously. ;)
Attachment #8973734 -
Flags: review?(jfkthame) → review+
|
|
Assignee | |
Comment 7•Last year
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/796bf4be1f82
|
|
||
Comment 8•Last year
|
||
Comment on attachment 8973734 [details] [diff] [review] update freetype to version 2.9.1 Approval Request Comment [Feature/Bug causing the regression]: no regression, updating library from upstream [User impact if declined]: possible vulnerabilities in freetype [Is this code covered by automated tests?]: yes, exercised by anything that draws text on android [Has the fix been verified in Nightly?]: not yet [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: no [Why is the change risky/not risky?]: update to latest upstream release of a widely-used library [String changes made/needed]: none
Attachment #8973734 -
Flags: approval-mozilla-beta?
https://hg.mozilla.org/mozilla-central/rev/796bf4be1f82
Group: gfx-core-security → core-security-release
Target Milestone: --- → mozilla62
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
|
|
Assignee | |
Comment 10•Last year
|
||
Comment on attachment 8973734 [details] [diff] [review] update freetype to version 2.9.1 Approved for 61.0b4.
Attachment #8973734 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
Assignee | |
Comment 11•Last year
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/2e8113527d2c
|
|
Assignee | |
Updated•Last year
|
Flags: qe-verify-
|
||
Updated•Last year
|
Whiteboard: [adv-main61-]
|
||
Updated•Last month
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•