skia-python vendors vulnerable libfreetype because of pinned cibuildwheel version
The Linux wheels for skia-python vendor a vulnerable version of libfreetype that is affected by CVE-2025-27363 [1]. The root cause is a chain of unfortunate events: skia-python builds wheels using pinned pypa/cibuildwheel@2.21.3 [2] cibuildwheel 2.21.3 in turn pins manylinux container images [3] In these images, version 2.9.1-9.el8 of RedHat package freetype is preinstalled. This package version is vulnerable and has since been patched in 2.9.1-10. During the skia-python Linux build, …