Please backport CVE-2024-27929 to 2.1.x

Question

Please backport CVE-2024-27929 to 2.1.x

mfeingol opened this issue 3 months ago · 20 comments

mfeingol commented 3 months ago

Prerequisites

I have written a descriptive issue title
I have verified that I am running the latest version of ImageSharp
I have verified if the problem exist in both DEBUG and RELEASE mode
I have searched open and closed issues to ensure it has not already been reported

ImageSharp version

2.1.6

Other ImageSharp packages and versions

N/A

Environment (Operating system, version and so on)

N/A

.NET Framework version

N/A

Description

cf GHSA-65x7-c272-7g7r

Steps to Reproduce

N/A

Images

No response

Answer 1 · 2024-03-05T22:47:42.000Z

Do not abuse the issue tracker like this.

Answer 2 · 2024-03-05T22:51:46.000Z

My apologies. Why is this abusing the issue tracker?

Answer 3 · 2024-03-05T23:16:23.000Z

Please see the highlighted checkbox

v2.1.6 is a full major version behind the latest stable release v3.1.3. As such, your completion of this is incorrect. v3.0.0 was released over one year ago and I am actively working on v4 now. You should upgrade your working version to the latest release.

Answer 4 · 2024-03-05T23:22:30.000Z

I see. I need to support .NET Standard 2.0 libraries that cannot upgrade to 3.x. Because 3.x no longer supports .NET Standard 2.0, it seemed reasonable to at least request CVE backports, at least for some time.

Answer 5 · 2024-03-06T07:02:00.000Z

@JimBobSquarePants There's lots of software running imagesharp that is using net framework 4.7.2 and has not been ported to net 6 (and it isn't possible to port some of it due to missing feature sets on windows). Net framework 4.7.2 is LTS to 2032. Can't add a reference to net 6 from a 4.7.2 full framework application. Ideally there'd be net standard 2 compatible builds of 3.x

Answer 6 · 2024-03-06T07:24:49.000Z

There's lots of software running imagesharp that is using net framework 4.7.2 and has not been ported to net 6

Yes, there may well be, however.

Almost nobody contributes code
Almost nobody purchases licenses

If they had and it was possible to actually maintain the libraries to a degree that would allow me to actually either earn a living working on them or pay others to assist then there would be more comprehensive support.

Ideally there'd be net standard 2 compatible builds of 3.x

See
#2378 regarding discussions around target frameworks.

Answer 7 · 2024-03-06T07:31:28.000Z

Understood, sorry i had the distinct impression this was Microsoft sponsored for some reason.

Answer 8 · 2024-03-06T17:26:21.000Z

Thanks all for the discussion.

I think there's a difference between active new feature support and CVE backports. But regardless.

My current use of ImageSharp is to read image dimensions from certain images. The simplest path for me is to switch to something else that supports the platforms I currently need to target. It looks like SkiaSharp has that basic functionality, so I'll be switching to that.

Answer 9 · 2024-03-07T00:25:46.000Z

Understood, sorry i had the distinct impression this was Microsoft sponsored for some reason.

At one time, ImageSharp was part of the .NET Foundation. Not the case anymore. See https://dotnetfoundation.org/news-events/detail/update-on-imagesharp if you want their take on it.

Answer 10 · 2024-03-07T00:28:16.000Z

That didn't involve any funding though.

Anyway... The fix has been backported.

Answer 11 · 2024-03-07T03:39:12.000Z

Thanks @JimBobSquarePants it's much appreciated.
I tried the updated version but i'm still getting a warning in visual studio

Answer 12 · 2024-03-07T03:42:41.000Z

Thanks @JimBobSquarePants it's much appreciated. I tried the updated version but i'm still getting a warning in visual studio

NuGet doesn't show an advisory - have you rebuilt the project and/or refreshed your NuGet feed?

Answer 13 · 2024-03-07T03:47:24.000Z

@tiesont yes i've tried turning it off and on again and everything. Clean/ Rebuild, Restart etc.
It's weird as it doesn't say "Vulnerable" in the Version dropdown in package manager but does in the solution explorer

Answer 14 · 2024-03-07T03:56:11.000Z

Delete your .vs folder. If that doesn't work, try deleting your local NuGet cache.

If that doesn't work I'd suggest reporting the issue to Microsoft as everything is correctly marked at the source.

Answer 15 · 2024-03-07T04:02:14.000Z

cleared the nuget cache via Tools > NuGet Package Manager > Package Manager Console
deleted .vs folder
still shows as vulnerable

created an entirely new project and referenced 2.1.7 - shows as vulnerable in solution explorer
tried it on another pc - same results

maybe someone else wants to try it?

Answer 16 · 2024-03-07T04:04:26.000Z

cleared the nuget cache via Tools > NuGet Package Manager > Package Manager Console deleted .vs folder still shows as vulnerable

created an entirely new project and referenced 2.1.7 - shows as vulnerable in solution explorer tried it on another pc - same results

maybe someone else wants to try it?

I see the same behavior, but like @JimBobSquarePants says, this is 99.999% likely to be a Visual Studio or Nuget Package Manager bug, not an issue with ImageSharp.

Answer 17 · 2024-03-07T04:06:31.000Z

ok thanks for confirming - maybe it'll resolve itself / some cache somewhere needs to reset.

Answer 18 · 2024-03-07T04:07:28.000Z

There must be something VS uses that caches the vulnerability list. I can install the version fine and as you say is doesn't show as vulnerable in the package manager but yes it shows as vulnerable in the dependencies. I would definitely raise this upstream.

Answer 19 · 2024-03-07T04:09:28.000Z

Would this be worth adding as a new discussion here, just to have a place to direct this conversion that isn't polluting this particular issue?

I'm currently looking in the issue tracker for the NuGet client tools to see if it's been reported yet, regardless.

Answer 20 · 2024-03-07T04:12:26.000Z

It's really not relevant to this repository at all now. The package is published and explicitly marked as safe.