Is System.drawing.common vulnerable to CVE-2021-24112 in .Net SDK 6.0

[git-smita]

As per the github advisory System.Drawing.Common ([NuGet]) is patched in v4.7.2 - GHSA-rxg9-xrhp-64gj

But .dotnet SDK 6.0.405 contains v4.7.0. is it possible to publish/get a confirmation that SDK versions other than what's list in the
advisory https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24112 are not vulnerable.

[dotnet-issue-labeler]

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

[tallandtree]

It seems so for all dotnet sdk versions I've tested. Not sure how to fix this.

usr/share/dotnet/sdk/7.0.102/Sdks/Microsoft.NET.ILLink.Tasks/tools/net7.0/ILLink.Tasks.deps.json (dotnet-core)
==============================================================================================================
Total: 1 (CRITICAL: 1)
┌───────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                    Title                    │
├───────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────┤
│ System.Drawing.Common │ CVE-2021-24112 │ CRITICAL │ 4.7.0             │ 5.0.3, 4.7.2  │ dotnet: Remote Code Execution Vulnerability │
│                       │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-24112  │
└───────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────┘

[KalleOlaviNiemitalo]

Does that need to be fixed? The json file references 4.7.0, but if the System.Drawing.Common.dll itself is 4.7.2, then that will be loaded.

[tallandtree]

Good question. But since 6 months, trivy is also scanning the .deps.json files and if they are not correct, the scans will contain too many false positives. It's a lot of work to check them manually. The installed files are indeed a higher (not vulnerable version). So, the question is: is it a trivy issue or a dotnet issue? Should those deps.json files be correct?

[ghost]

@dotnet/linker-contrib a new issue has been filed in the ILLink area, please triage

[KalleOlaviNiemitalo]

#30659 is similar.

[justinmchase]

What is the release cadence for microsoft docker images with High level security issues? Do the images get rebuilt automatically once a month?

[baronfel]

The images are rebuilt monthly out of the dotnet/dotnet-docker repo using the security releases for that month, yes.

We've been focusing on clearing these notices more frequently these days, so I'm going to close this one since the CVE mentioned is addressed.

[hilari0n]

The issue was not entirely about if the CVE is addressed in a released SDK version. It already was, when the issue was created.
It's more about dependency list files generated for .NET projects still listing the NuGet version as 4.7.0, even with a patched .NET 6.0 SDK version, which results in various dependency vulnerability scanners in returning false-positive results.

[baronfel]

Good point, and I do show that System.Drawing.Common is still vulnerable in the current SDK in the ILLink Tasks. Will keep this open to track until I can find out which repo need to be bumped.

[baronfel]

The dependency bump in #40980 should solve this.

[baronfel]

Confirmed - trivy doesn't report system.drawing.common anymore with the linked PR. An upcoming monthly security release should ship this fix.