Pedro Giffuni wrote:
I looked briefly at the issues and for good or bad the version of silgraphite shipping with OpenOffice is old enough that most of the vulnerabilities don't apply (at least not directly).
Thank you for setting things straight. We do use silgrahpite, but not the version that is confirmed to be vulnerable.
Indeed the article you linked to does not say that OpenOffice is vulnerable. It says that OpenOffice uses silgraphite (correct) and that Firefox used to be vulnerable (since Firefox was using the silgraphite version that is confirmed to be vulnerable).
1) We could update silgraphite to their latest version (at least on header has disappeared so this needs tweaking). 2) We could patch the older silgraphite to provide some protection from vulnerabilities.
I would definitely go for option 1 but indeed they broke compatibility. I don't know how complex it is to update code, but it is a good moment for doing so.
Independent of (1) or (2) I think it's likely we may want to stop shipping libgraphite.
I don't think this is the best solution, see below.
One one side the support from SIL for this event has been unacceptable: AFAICT there was no advance notice
I confirm OpenOffice received no information in advance; on the other side, the vulnerability as such does not apply to the version we use. So maybe we didn't receive a notification since there was nothing to fix.
On the other hand graphite is not very important nowadays: Adobe donated a fine CFF rasterizer to the freetype project which fills the hole graphite meant to cover.
We do have a niche (at least I think it's a niche) of users who love Graphite-enabled fonts. So this might need some longer evaluation, at least to understand if these users would be damaged. This is why I would prefer to use option 1 for 4.2.0 and (unless they broke compatibility too much) go for the update. Of course, if this turns out to be too complex or risky, deprecating silgrahpite is an option too.
Regards, Andrea. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
