Hello,
What is relationship between freetype and libfreetype?
Do know or have some tips how to map libfreetype version to freetype?
I have MacOS desktop application that is embedding JRE.
Its recent security scan has found ~80 vulnerabilities related to freetype.
The problem is that it didn’t detect freetype version.
I’m assuming that these are all vulns found in freetype since the beginning.
The file in question is: …/jre/lib/libfreetype.6.dylib
When I try to use random tool (suggested by StackOverlow) I get version 23.1.0
which is way too big.
$ otool -L libfreetype.dylib.6
libfreetype.dylib.6:
@rpath/libfreetype.6.dylib (compatibility version 23.0.0, current version
23.1.0)
/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.11)
/usr/lib/libbz2.1.0.dylib (compatibility version 1.0.0, current version
1.0.5)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version
1252.250.1)
Similar problem for Windows desktop client and files:
- jre/bin/freetype.dll
- jre/bin/fontmanager.dll
I didn't try to find version there yet.
I have web application that also has this issue in *.wasm.code.unityweb file,
but I can “blame” (delegate) this on company that created this component for us.
And finally I have Java backend where apparently one of dependenciesalso also
contains some Mac libraries using freetype:
- com.opendesign.teigha.macosx.x86_64_4.2.0.jar/macho libTD_DbRoot.dylib
- com.opendesign.teigha.macosx.x86_64_4.2.0.jar/macho libTD_DbRoot.jnilib
I guess method for finding version here is the same as in first case.
Any tips will be appreciated.
I'm primarily Java Developer - not familiar with C/C++ libraries and their
linking and stuff ;)
Best regards,
Paweł Kozioł
Internal
