While I generally agree with the "upgrade if you worry about this" advice, I 
am also aware that the concern did not come from consumer desktops, but from 
embedded , mobile and shipped / long-term-maintained systems like Solaris, 
Android, Raspberry pi OS, etc. So I would add to that "upgrade" advice, with 
this: complain to the vendors (Sun, Google, Samsung, Raspberry Pi foundation 
etc) about them shipping outdated versions... there is no point complaining to 
upstream on this. The freetype people, may, under pressure, release a 2.13.2.1 
(or some appropriately versioned backport), but it is still up to the shipping 
vendors to take it. And if you are trying to persuade these vendors to ship 
babkports etc, you might as well try to ask them to upgrade...
    On Thursday 13 March 2025 at 11:24:35 GMT, Alexei Podtelezhnikov 
<apodt...@gmail.com> wrote:  
 
 On Wed, Mar 12, 2025 at 9:37 PM Alan Coopersmith
<alan.coopersm...@oracle.com> wrote:
> https://www.facebook.com/security/advisories/cve-2025-27363
>
> https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d

Dear Alan

We have been informed in advance about this. We suspect that Meta used
some AI tools to scan the commit history and identify commits with
potential changes in memory access patterns. The first claim was that
<= 2.13.2 were vulnerable, which we pushed back by a year and a half.

In this brave new world, freezing the old software versions is no
longer viable for the open systems. We invite everybody to use the
most recent version and help us improve FreeType, rather than engaging
in the patch race against AI.

Alexei

  

Reply via email to