Is this freetype implementation vulnerable to CVE-2020-15999

Question

Is this freetype implementation vulnerable to CVE-2020-15999

AngelinaSosa opened this issue 4 years ago · 1 comments

AngelinaSosa commented 4 years ago

Do you know if this vulnerability is applicable ? References:
https://savannah.nongnu.org/bugs/?59308

https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd

https://www.mail-archive.com/freetype-announce@nongnu.org/msg00125.html

https://nvd.nist.gov/vuln/detail/CVE-2020-15999

Thank you !
Angelina

Answer 1 · 2022-11-01T01:00:08.000Z

As far as I see it is irrelevant - the upstream bug is about vulnerability in the sbit table reading due to dependency on libpng. It is one of the apple style bitmaps which requires libpng to work. Freetype go does not support reading the sbit bitmaps at all.