Closed
Bug 1458905
Opened 7 years ago
Closed 7 years ago
Update freetype2 to 2.9.1
Categories
(Core :: Graphics: Text, defect)
Core
Graphics: Text
Tracking
()
RESOLVED
FIXED
mozilla62
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | disabled |
firefox59 | --- | unaffected |
firefox60 | --- | wontfix |
firefox61 | + | fixed |
firefox62 | + | fixed |
People
(Reporter: tjr, Assigned: RyanVM)
References
Details
(Keywords: sec-audit, Whiteboard: [adv-main61-])
Attachments
(1 file)
1.66 MB,
patch
|
jfkthame
:
review+
RyanVM
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
This is a (semi-)automated bug making you aware that there is an available upgrade for an embedded third-party library. You can leave this bug open, and it will be updated if a newer version of the library becomes available. If you close it as WONTFIX, please indicate if you do not wish to receive any future bugs upon new releases of the library.
freetype2 is currently at version 2.9 in mozilla-central, and the latest version of the library released is 2.9.1.
I fetched the latest version of the library from http://download.savannah.gnu.org/releases/freetype/.
It looks like this may be a security release, so tagging as such.
Assignee | ||
Comment 1•7 years ago
|
||
We pretty aggressively backported the upstream security fixes to 60/61 as they landed:
https://hg.mozilla.org/mozilla-central/file/default/modules/freetype2/README.moz-patches
Tom, are you aware of any other scary-looking upstream commits that would justify taking this urgently? Otherwise, I'd prefer to wait until next week after we're clear of the Nightly soft freeze.
status-firefox59:
--- → unaffected
status-firefox60:
--- → affected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → affected
Flags: needinfo?(tom)
Assignee | ||
Comment 3•7 years ago
|
||
Thanks, I'll take this next week. And also, since we don't ship Android builds off ESR60, I think we can wontfix this bug for there (since it's the release we ship which uses the in-tree FT2).
Assignee: nobody → ryanvm
Assignee | ||
Comment 4•7 years ago
|
||
First attempt has bustage:
https://treeherder.mozilla.org/logviewer.html#?job_id=177267288&repo=try&lineNumber=29189
Assignee | ||
Comment 5•7 years ago
|
||
Easy fix. Just needed to remove two files from moz.build which were added to ftbase.c as #includes instead.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=4fd11122127493b1778846af5f99384235181436
Attachment #8973734 -
Flags: review?(jfkthame)
Assignee | ||
Updated•7 years ago
|
Comment 6•7 years ago
|
||
Comment on attachment 8973734 [details] [diff] [review]
update freetype to version 2.9.1
Review of attachment 8973734 [details] [diff] [review]:
-----------------------------------------------------------------
LGTM -- after reading the entire patch line-by-line, obviously. ;)
Attachment #8973734 -
Flags: review?(jfkthame) → review+
Assignee | ||
Comment 7•7 years ago
|
||
Comment 8•7 years ago
|
||
Comment on attachment 8973734 [details] [diff] [review]
update freetype to version 2.9.1
Approval Request Comment
[Feature/Bug causing the regression]: no regression, updating library from upstream
[User impact if declined]: possible vulnerabilities in freetype
[Is this code covered by automated tests?]: yes, exercised by anything that draws text on android
[Has the fix been verified in Nightly?]: not yet
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: update to latest upstream release of a widely-used library
[String changes made/needed]: none
Attachment #8973734 -
Flags: approval-mozilla-beta?
![]() |
||
Comment 9•7 years ago
|
||
Group: gfx-core-security → core-security-release
Target Milestone: --- → mozilla62
![]() |
||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 10•7 years ago
|
||
Comment on attachment 8973734 [details] [diff] [review]
update freetype to version 2.9.1
Approved for 61.0b4.
Attachment #8973734 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Assignee | ||
Comment 11•7 years ago
|
||
uplift |
Assignee | ||
Updated•7 years ago
|
Flags: qe-verify-
Updated•7 years ago
|
Whiteboard: [adv-main61-]
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•