Does the Freetype vulnerability fix for CVE-2020-15999 apply to chromium and VSCode?


Lately, a critical 0day exploit hit FreeType. The vulnerability, tagged under CVE-2020-15999, has been officially fixed in the FreeType package some days ago.

Many people claim that it needs to be fixed separately in chromium-based applications, like chromium and Visual Studio Code, too.

However, I’ve looked up the different chromium-based packages I have installed (those being steam, chromium, and code).

Both chromium and VSCode have FreeType listed as dependency. Because of this, I think that the vulnerability is already fixed for those packages, too, since they merely use the system-installed library instead of shipping their own version.

However, steam does not list FreeType as dependency, and is thus vulnerable (this has also been confirmed, since they shipped a patch separately).

Is my hypothesis about chromium and code correct? Just to still a security student’s paranoia :smile: