FreeType exploit

Just in case you use FreeType in one of your projects and didn’t already know there’s been a recent emergency release.

FreeType 2.10.4


This is an emergency release, fixing a severe vulnerability in embedded PNG bitmap handling (see here for more).

All users should update immediately.

How does this affect Xojo and all apps developed with it as I see from the Third Party Licenses and Notices included with the IDE that portions of Xojo use this.

1 Like

Time to rebuild our plugins.


@Greg_O_Lone @William_Yu @Travis_Hill is there any information on this?

pr6 has the new free type.
DynaPDF may also get the update later.

1 Like

We do have plans on using a more up to date FreeType library on macOS, but there’s not much more I can say about that on the General channel. On Linux/Windows we use a much older FreeType library than the reported version with the issue…

Thanks William. I was hoping for a little more info, like where its used, what systems could be affected, could that be used as a vector for attack etc just so users are aware of what not to do.

I also note that the included chromium is over a year old now so it might be best not to suggest new users make a web browser with an out of date embedded browser without telling them of the potential risks that they might not be aware because they are assuming that it’s using “their regular up to date chrome”.

As far as I see FreeType is in the Console framework for Mac and Linux. Could be used in Graphics class to measure text width and they may use native functions on Windows.

Correct, except that part about Windows, we also use FreeType there as well.
As you said, it is only used for Console apps for Graphics Text drawing and measuring Text metrics.