openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrea Pescetti <>
Subject Re: Security issues with silgraphite
Date Tue, 16 Feb 2016 23:29:34 GMT
Pedro Giffuni wrote:
> I looked briefly at the issues and for good or bad the version of
> silgraphite shipping with OpenOffice is old enough that most of the
> vulnerabilities don't apply (at least not directly).

Thank you for setting things straight. We do use silgrahpite, but not 
the version that is confirmed to be vulnerable.

Indeed the article you linked to does not say that OpenOffice is 
vulnerable. It says that OpenOffice uses silgraphite (correct) and that 
Firefox used to be vulnerable (since Firefox was using the silgraphite 
version that is confirmed to be vulnerable).

> 1) We could update silgraphite to their latest version (at least on
> header has disappeared so this needs tweaking).
> 2) We could patch the older silgraphite to provide some protection
> from vulnerabilities.

I would definitely go for option 1 but indeed they broke compatibility. 
I don't know how complex it is to update code, but it is a good moment 
for doing so.

> Independent of (1) or (2) I think it's likely we may want to stop
> shipping libgraphite.

I don't think this is the best solution, see below.

> One one side the support from SIL for this
> event has been unacceptable: AFAICT there was no advance notice

I confirm OpenOffice received no information in advance; on the other 
side, the vulnerability as such does not apply to the version we use. So 
maybe we didn't receive a notification since there was nothing to fix.

> On the other hand graphite is not very important
> nowadays: Adobe donated a fine CFF rasterizer to the freetype
> project which fills the hole graphite meant to cover.

We do have a niche (at least I think it's a niche) of users who love 
Graphite-enabled fonts. So this might need some longer evaluation, at 
least to understand if these users would be damaged. This is why I would 
prefer to use option 1 for 4.2.0 and (unless they broke compatibility 
too much) go for the update. Of course, if this turns out to be too 
complex or risky, deprecating silgrahpite is an option too.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message