Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[vulnerability] CVE issues #194

Closed
congshengwu opened this issue Apr 13, 2023 · 4 comments
Closed

[vulnerability] CVE issues #194

congshengwu opened this issue Apr 13, 2023 · 4 comments

Comments

@congshengwu
Copy link

Hi, I found there are three CVE issues on the latest version 3.2.1, Will there be a plan to fix them?
CVE-2019-11934
CVE-2008-0660
CVE-2021-24036
@floitsch
Copy link
Collaborator

I will have another look later, but at first glance those vulnerabilities don't seem to apply to this library.

For example, the first one talks about SSL sockets, which has nothing to do with double-conversion (unless this library is used under the hood).

@congshengwu
Copy link
Author

Wow, thanks for the quick reply. I am using React Native to build the mobile app, and double-conversion is part of the dependencies of React Native.

We have CI&CD on a Linux server and use SonarQube to scan the vulnerabilities during the app package building. Here is more detail from the SonarQube scan result:

  • Filename: DoubleConversion:3.2.1 | Reference: CVE-2019-11934 | CVSS Score: 9.8 | Category: CWE-125 | Improper handling of close_notify alerts can result in an out-of-bounds read in AsyncSSLSocket. This issue affects folly prior to v2019.11.04.00.

  • Filename: DoubleConversion:3.2.1 | Reference: CVE-2021-24036 | CVSS Score: 9.8 | Category: CWE-787 | Passing an attacker controlled size when creating an IOBuf could cause integer overflow, leading to an out of bounds write on the heap with the possibility of remote code execution. This issue affects versions of folly prior to v2021.07.22.00. This issue affects HHVM versions prior to 4.80.5, all versions between 4.81.0 and 4.102.1, all versions between 4.103.0 and 4.113.0, and versions 4.114.0, 4.115.0, 4.116.0, 4.117.0, 4.118.0 and 4.118.1.

  • Filename: DoubleConversion:3.2.1 | Reference: CVE-2008-0660 | CVSS Score: 9.3 | Category: CWE-119 | Multiple stack-based buffer overflows in Aurigma Image Uploader ActiveX control (ImageUploader4.ocx) 4.6.17.0, 4.5.70.0, and 4.5.126.0, and ImageUploader5 5.0.10.0, as used by Facebook PhotoUploader 4.5.57.0, allow remote attackers to execute arbitrary code via long (1) ExtractExif and (2) ExtractIptc properties.

@floitsch
Copy link
Collaborator

I'm pretty sure that's a mistake of SonarQube then. I just looked at the first vulnerability, and the patch has nothing to do with the double-conversion library: facebook/folly@c321eb5

Searching through the vulnerability database I only found one entry that potentially applies: https://nvd.nist.gov/vuln/detail/CVE-2016-1660
Blink changed an assert into a release assert to handle bad input. I'm open to doing the same change.

@congshengwu
Copy link
Author

I have double-checked the content of the Sonarqube result. You're right, they are not related to double-conversion.
Thanks for your time, I will close the issue then.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@floitsch @congshengwu