New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] SkiaSharp vendors libwebp vulnerable to CVE-2023-4863 #2608
Comments
Thanks for the issue, PRs building and will get a release ASAP. |
@mattleibow feel free to ping over on github/advisory-database#2727 (or @ me or whatever) when ready and I can get your package (with affected versions) added to the GHSA and get dependabot alerts going out to your users if you like 😄 |
Patched versions are:
|
Thank you very much for your help with this issue! |
My understanding is that webp 1.3.2 still has the vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-4863 EDIT: Never mind, missed the 'prior to'. Please ignore |
Description
SkiaSharp vendors (via mono/skia) a version of libwebp that is vulnerable to CVE-2023-4863.
Upstream skia picked up the fixed libwebp via google/skia@1176deb
Please:
Thank you!
Code
n/a
Expected Behavior
No response
Actual Behavior
No response
Version of SkiaSharp
2.88.3 (Current)
Last Known Good Version of SkiaSharp
Other (Please indicate in the description)
IDE / Editor
Other (Please indicate in the description)
Platform / Operating System
All
Platform / Operating System Version
No response
Devices
No response
Relevant Screenshots
No response
Relevant Log Output
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: