Lately, a critical 0day exploit hit FreeType. The vulnerability, tagged under CVE-2020-15999, has been officially fixed in the FreeType package some days ago.
Many people claim that it needs to be fixed separately in chromium-based applications, like chromium and Visual Studio Code, too.
However, I’ve looked up the different chromium-based packages I have installed (those being steam, chromium, and code).
Both chromium and VSCode have FreeType listed as dependency. Because of this, I think that the vulnerability is already fixed for those packages, too, since they merely use the system-installed library instead of shipping their own version.
However, steam does not list FreeType as dependency, and is thus vulnerable (this has also been confirmed, since they shipped a patch separately).
Is my hypothesis about chromium and code correct? Just to still a security student’s paranoia