[BUG] SkiaSharp vendors libwebp vulnerable to CVE-2023-4863
delroth opened this issue ยท 5 comments
Description
SkiaSharp vendors (via mono/skia) a version of libwebp that is vulnerable to CVE-2023-4863.
Upstream skia picked up the fixed libwebp via google/skia@1176deb
Please:
- Update mono's skia fork.
- Release a new SkiaSharp version which isn't vulnerable to CVE-2023-4863 anymore.
- Update the GHSA for CVE-2023-4863 (GHSA-j7hp-h8jx-5ppr) so that dependents get alerted of the vulnerability in SkiaSharp. (Happy to take care of that myself otherwise when a new release is available)
Thank you!
Code
n/a
Expected Behavior
No response
Actual Behavior
No response
Version of SkiaSharp
2.88.3 (Current)
Last Known Good Version of SkiaSharp
Other (Please indicate in the description)
IDE / Editor
Other (Please indicate in the description)
Platform / Operating System
All
Platform / Operating System Version
No response
Devices
No response
Relevant Screenshots
No response
Relevant Log Output
No response
Code of Conduct
- I agree to follow this project's Code of Conduct
Thanks for the issue, PRs building and will get a release ASAP.
@mattleibow feel free to ping over on github/advisory-database#2727 (or @ me or whatever) when ready and I can get your package (with affected versions) added to the GHSA and get dependabot alerts going out to your users if you like ๐
Patched versions are:
- 3.x alpha and this is version 3.0.0-alpha.1.27 on the feed https://aka.ms/skiasharp-eap/index.json
- 2.x stable and this is version 2.88.6 and this is on nuget: https://www.nuget.org/packages/SkiaSharp/2.88.6
Thank you very much for your help with this issue!
My understanding is that webp 1.3.2 still has the vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-4863
@mattleibow you might want to reopen this?
EDIT: Never mind, missed the 'prior to'. Please ignore