Hello;
OpenOffice has been explicitly mentioned in public concerns about
silgraphite:
http://news.softpedia.com/news/vulnerability-in-font-processing-library-affects-linux-openoffice-firefox-500027.shtml
I looked briefly at the issues and for good or bad the version of
silgraphite shipping with OpenOffice is old enough that most of the
vulnerabilities don't apply (at least not directly). It appears
not even the silgraphite authors may be aware of what the state
of the older library version may be.
The issue may not be urgent after all but we have to consider what
to do about it.
1) We could update silgraphite to their latest version (at least on
header has disappeared so this needs tweaking).
2) We could patch the older silgraphite to provide some protection
from vulnerabilities.
Independent of (1) or (2) I think it's likely we may want to stop
shipping libgraphite. One one side the support from SIL for this
event has been unacceptable: AFAICT there was no advance notice, and
no fix alternatives. On the other hand graphite is not very important
nowadays: Adobe donated a fine CFF rasterizer to the freetype
project which fills the hole graphite meant to cover. Note that
we don't carry graphite-enabled fonts so our users may not miss
it at all.
Note that I am not member of the security team so this is not
an official statement on the project's behalf, just my thoughts.
Pedro.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org
