Closed Bug 1458905 Opened 4 years ago Closed 4 years ago

Update freetype2 to 2.9.1


(Core :: Graphics: Text, defect)

Not set



Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- disabled
firefox59 --- unaffected
firefox60 --- wontfix
firefox61 + fixed
firefox62 + fixed


(Reporter: tjr, Assigned: RyanVM)



(Keywords: sec-audit, Whiteboard: [adv-main61-])


(1 file)

This is a (semi-)automated bug making you aware that there is an available upgrade for an embedded third-party library. You can leave this bug open, and it will be updated if a newer version of the library becomes available. If you close it as WONTFIX, please indicate if you do not wish to receive any future bugs upon new releases of the library.

freetype2 is currently at version 2.9 in mozilla-central, and the latest version of the library released is 2.9.1. 

I fetched the latest version of the library from

It looks like this may be a security release, so tagging as such.
We pretty aggressively backported the upstream security fixes to 60/61 as they landed:

Tom, are you aware of any other scary-looking upstream commits that would justify taking this urgently? Otherwise, I'd prefer to wait until next week after we're clear of the Nightly soft freeze.
Nope, sounds good.
Flags: needinfo?(tom)
Thanks, I'll take this next week. And also, since we don't ship Android builds off ESR60, I think we can wontfix this bug for there (since it's the release we ship which uses the in-tree FT2).
Keywords: sec-audit
Easy fix. Just needed to remove two files from which were added to ftbase.c as #includes instead.
Attachment #8973734 - Flags: review?(jfkthame)
Comment on attachment 8973734 [details] [diff] [review]
update freetype to version 2.9.1

Review of attachment 8973734 [details] [diff] [review]:

LGTM -- after reading the entire patch line-by-line, obviously. ;)
Attachment #8973734 - Flags: review?(jfkthame) → review+
Comment on attachment 8973734 [details] [diff] [review]
update freetype to version 2.9.1

Approval Request Comment
[Feature/Bug causing the regression]: no regression, updating library from upstream
[User impact if declined]: possible vulnerabilities in freetype
[Is this code covered by automated tests?]: yes, exercised by anything that draws text on android
[Has the fix been verified in Nightly?]: not yet
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: update to latest upstream release of a widely-used library
[String changes made/needed]: none
Attachment #8973734 - Flags: approval-mozilla-beta?
Group: gfx-core-security → core-security-release
Target Milestone: --- → mozilla62
Closed: 4 years ago
Resolution: --- → FIXED
Comment on attachment 8973734 [details] [diff] [review]
update freetype to version 2.9.1

Approved for 61.0b4.
Attachment #8973734 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify-
Whiteboard: [adv-main61-]
Blocks: 1553912
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.