HinTak
commented
1 year ago As far as I see it is irrelevant - the upstream bug is about vulnerability in the sbit table reading due to dependency on libpng. It is one of the apple style bitmaps which requires libpng to work. Freetype go does not support reading the sbit bitmaps at all.
Do you know if this vulnerability is applicable ? References: https://savannah.nongnu.org/bugs/?59308
https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd
https://www.mail-archive.com/freetype-announce@nongnu.org/msg00125.html
https://nvd.nist.gov/vuln/detail/CVE-2020-15999
Thank you ! Angelina