On Fri, 06 May 2022 at 15:25:00 +0100, Neil Williams wrote:
> CVE-2022-27470[0]:
> | SDL_ttf v2.0.18 and below was discovered to contain an arbitrary
> | memory write via the function TTF_RenderText_Solid(). This
> | vulnerability is triggered via a crafted TTF file.
Does the security team intend to do a DSA for this, or is it
considered to be stable-point-release material?
If I'm understanding the issue correctly, it's only a problem if a user
of SDL_ttf is using an untrusted TTF font file, which is a relatively
unusual thing to do: normally games either rely on system fonts, or bundle
a font in the game data, both of which are trusted (if only because anyone
in a position to insert a crafted font file could equally well insert
malicious code).
smcv
