Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerabilities in SixLabors.ImageSharp #1394

Closed
luisjones opened this issue Jul 23, 2024 · 4 comments · Fixed by #1402
Closed

Security vulnerabilities in SixLabors.ImageSharp #1394

luisjones opened this issue Jul 23, 2024 · 4 comments · Fixed by #1402
Labels
security
Milestone
NPOI 2.7.2

Comments

@luisjones
Copy link

luisjones commented Jul 23, 2024
edited
Loading

NPOI Version

2.7.1

Issue Description

Our Trivy security scanner pipeline is preventing this project from being used due to a security vulnerability in the SixLabors.ImageSharp package.

Installed library version: 2.1.8
Fixed versions: 2.1.9, 3.1.5

CVE-2024-41132 (https://avd.aquasec.com/nvd/2024/cve-2024-41132/)
CVE-2024-41131 (https://avd.aquasec.com/nvd/2024/cve-2024-41131/)

I have not created a PR for this as I did not want this to conflict with #1390
@luisjones luisjones added the bug label Jul 23, 2024
@tonyqus tonyqus added this to the NPOI 2.7.2 milestone Jul 23, 2024
@Innotech-Ameen-Alqattow
Copy link

Innotech-Ameen-Alqattow commented Jul 25, 2024
edited
Loading

Can we fix then soon on 2.7.1.1?

@Bykiev Bykiev added security and removed bug labels Jul 29, 2024
@MagicAndre1981
Copy link

Can we fix then soon on 2.7.1.1?

select your project where you consume npoi in Visual Studio, open NuGet UI, go to "Installed packages", here you see "Top Level Packages" and "Transivite Packages". Now find SixLabors.ImageSharp under Transitive Packages and install it in Version 2.1.9 to fix it yourself. Only issue is now that NuGet shows an update of SixLabors.ImageSharp to 3.1.5 because Microsoft still has no version range blocking like in old packages.config times (allowedVersions entry) or detecting of incompatible frameworks.

@tonyqus
Copy link
Member

tonyqus commented Jul 30, 2024

There is no plan of urgent fix for this. The security bug is about gif codec. NPOI doesn't use this feature in ImageSharp at all.

@lahma lahma mentioned this issue Aug 14, 2024
Merged
@lahma
Copy link
Collaborator

lahma commented Aug 14, 2024

Created #1402

@tonyqus tonyqus mentioned this issue Aug 20, 2024
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
NPOI 2.7.2
Development

Successfully merging a pull request may close this issue.

Upgrade SixLabors.ImageSharp to version 2.1.9 lahma/npoi
6 participants
@lahma @tonyqus @MagicAndre1981 @luisjones @Bykiev @Innotech-Ameen-Alqattow