[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ft-devel] details
|
From: |
suzuki toshiya |
|
Subject: |
Re: [ft-devel] details |
|
Date: |
Sun, 15 Apr 2012 01:22:11 +0900 |
|
User-agent: |
Mozilla-Thunderbird 2.0.0.12 (X11/20080406) |
The next comment might be something like "our target is not Android nor iOS"
or "our application does not eat PDF nor web documents".
I guess the background would not be by the characteristic of the system
running in the target devices, it would be by the culture of the engineers.
Regards,
mpsuzuki
Alan Coopersmith wrote:
> On 04/14/12 06:48 AM, Vinnie wrote:
>>> From: Alan Coopersmith <address@hidden>
>>>
>>> A pretty convenient way to make your software full of security holes
>>> and other bugs if you don't spend the time to update it for every upstream
>>> patch, at which point you'll find that it's not all that convenient
>>> compared to just using a shared library.
>> *sigh* people assume FreeType is only used for operating systems. How many
>> times do I have to repeat the use-case for embedding both FreeType, and a
>> font, within a desktop or smartphone application? For cases where the user
>> cannot choose the font, there is no security hole.
>
> Do you know where most of the FreeType security issues in the past few years
> has been found? By people trying to hack smartphones via downloads of
> malicious PDF's or opening webpages with bad webfonts. Quite a few of the
> jailbreaks for Apple's iOS have resulted in FreeType security patches coming
> out - you can see credits to both Apple & Google for providing fixes in the
> various advisories.
>
> Of course, those smartphone OS'es are providing system font rendering using
> FreeType so you don't have to shove in another copy there.
>