Closed Bug 1458905 Opened 3 years ago Closed 3 years ago

Update freetype2 to 2.9.1

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- disabled
firefox59 --- unaffected
firefox60 --- wontfix
firefox61 + fixed
firefox62 + fixed

People

(Reporter: tjr, Assigned: RyanVM)

References

Details

(Keywords: sec-audit, Whiteboard: [adv-main61-])

Attachments

(1 file)

update freetype to version 2.9.1
1.66 MB, patch
jfkthame
: review+
RyanVM
: approval-mozilla-beta+
Details | Diff | Splinter Review 
This is a (semi-)automated bug making you aware that there is an available upgrade for an embedded third-party library. You can leave this bug open, and it will be updated if a newer version of the library becomes available. If you close it as WONTFIX, please indicate if you do not wish to receive any future bugs upon new releases of the library.

freetype2 is currently at version 2.9 in mozilla-central, and the latest version of the library released is 2.9.1. 

I fetched the latest version of the library from http://download.savannah.gnu.org/releases/freetype/.



It looks like this may be a security release, so tagging as such.
We pretty aggressively backported the upstream security fixes to 60/61 as they landed:
https://hg.mozilla.org/mozilla-central/file/default/modules/freetype2/README.moz-patches

Tom, are you aware of any other scary-looking upstream commits that would justify taking this urgently? Otherwise, I'd prefer to wait until next week after we're clear of the Nightly soft freeze.
status-firefox59: --- → unaffected
status-firefox60: --- → affected
status-firefox-esr52: --- → unaffected
status-firefox-esr60: --- → affected
Flags: needinfo?(tom)
Nope, sounds good.
Flags: needinfo?(tom)
Thanks, I'll take this next week. And also, since we don't ship Android builds off ESR60, I think we can wontfix this bug for there (since it's the release we ship which uses the in-tree FT2).
Assignee: nobody → ryanvm
status-firefox60: affectedwontfix
status-firefox-esr60: affectedwontfix
Keywords: sec-audit
Easy fix. Just needed to remove two files from moz.build which were added to ftbase.c as #includes instead.

https://treeherder.mozilla.org/#/jobs?repo=try&revision=4fd11122127493b1778846af5f99384235181436
Attachment #8973734 - Flags: review?(jfkthame)
Comment on attachment 8973734 [details] [diff] [review]
update freetype to version 2.9.1

Review of attachment 8973734 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM -- after reading the entire patch line-by-line, obviously. ;)
Attachment #8973734 - Flags: review?(jfkthame) → review+
Comment on attachment 8973734 [details] [diff] [review]
update freetype to version 2.9.1

Approval Request Comment
[Feature/Bug causing the regression]: no regression, updating library from upstream
[User impact if declined]: possible vulnerabilities in freetype
[Is this code covered by automated tests?]: yes, exercised by anything that draws text on android
[Has the fix been verified in Nightly?]: not yet
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: update to latest upstream release of a widely-used library
[String changes made/needed]: none
Attachment #8973734 - Flags: approval-mozilla-beta?
https://hg.mozilla.org/mozilla-central/rev/796bf4be1f82
Group: gfx-core-security → core-security-release
status-firefox62: affectedfixed
Target Milestone: --- → mozilla62
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Comment on attachment 8973734 [details] [diff] [review]
update freetype to version 2.9.1

Approved for 61.0b4.
Attachment #8973734 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify-
Whiteboard: [adv-main61-]
Blocks: 1553912
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.