-
Notifications
You must be signed in to change notification settings - Fork 26.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libjpeg-turbo bug which is using by flutter engine #68604
Comments
@leo7723 |
Can someone take a look at this? Are we using that version of libjpeg-turbo, or are we using the version bundled by Skia? cc @Hixie |
hi,guys,is there any plan to solve this CVE(CVE-2018-14498) in the future flutter engine version? |
The CVE has been solved in the new version of libjpeg-turbo: |
They have already added an 'P4' label on this issues. I already find 2 security problem, both on 'P4' and none of them were resolved. Maybe you can make a merge request to solve the problem. 他们已经给这个问题定级为P4了。我一共提了俩安全问题都没有解决。我看你好像是同事,有可能还会撞上我提的另外一个问题。 |
看到了,SP编译选项那个问题。。。 |
Version 3.0.5 of Flutter has libjpeg vulnerabilities(not the same like CVE-2018-14498): is there any plan to solve these in the future flutter engine version? serious problem. |
Our security tool has found the same issue (Android build only). Here are details about vulnerabilities:
Same issue is there even if we update Flutter from 3.0.5 to 3.3.4 |
Same issue on Flutter 3.10.5 - still depends on `0fb821f3b2e570b2783a94ccd9a2fb1f4916ae9f', which is causing serious vulnerabilities in our app. |
The two referenced CVEs do not actually affect any code used by Flutter. They are within some of the tests/cli/example code part of libjpeg's source tree. |
In our scan it raised the following vulnerabilities: While checking the first one, it seems that the vulnerability isn't inside some example code (this is the fix: libjpeg-turbo/libjpeg-turbo@6bbc0a3) |
All three CVEs are part of libjpeg command line utilities. Again I stress these are not used within Flutter, as Flutter does not use command line utilities from libjpeg at any point in time. |
Flutter engine is using libjpeg-turbo with version '0fb821f3b2e570b2783a94ccd9a2fb1f4916ae9f'
My team find a bug on this version.
Detail: https://nvd.nist.gov/vuln/detail/CVE-2018-14498#range-5696424
Is this bug really matter? It looks like a serious problem.
The text was updated successfully, but these errors were encountered: