[CYBERSECURITY] libjpeg-turbo current version 2.1.3 in SkiaSharp #2578
Comments
|
In the google fork of libjpeg-turbo, they made an optimization to not duplicate a 65k byte table, however, this was never upstreamed. This means that skia may grow a little bit during the fix of this issue. I will try and see if I can get the optimization added upstream and then update again, but for now we will have to lose a bit. |
mattleibow
changed the title
|
Merged this into main and now backporting into the 2.x series. I am a tad bit worried as this is a major jump of the lib - the first in probably years. They may have made some changes, but the author looks to be really break adverse - so it is comforting. I'll get a preview out ASAP for testing - and then a stable release shortly after. |
|
Thanks for the heads up @mattleibow. @jjzhang12 please keep this in mind. |
|
Merged into the 2.x branch: #2581 |
|
There should be a |
ghost
locked as resolved and limited conversation to collaborators
Description
Hello @mattleibow, as you're updating some references do you plan on updating the following vulnerability as well?
Libjpeg turbo current version 2.1.3 in SkiaSharp
https://github.com/mono/skia/blob/0c511b3c833e441cb9edd6be1d13d2b3dd20c6b8/DEPS
CVE-2023-2804 (CVSS 6.5)
https://nvd.nist.gov/vuln/detail/CVE-2023-2804
Issue has been fixed in libjpeg turbo version 3.0.0
https://github.com/libjpeg-turbo/libjpeg-turbo/releases/tag/3.0.0
Code
n/a
Expected Behavior
n/a
Actual Behavior
n/a
Version of SkiaSharp
2.88.4-preview (Preview)
Last Known Good Version of SkiaSharp
2.88.2 (Previous)
IDE / Editor
Visual Studio (Windows)
Platform / Operating System
All
Platform / Operating System Version
n/a
Devices
n/a
Relevant Screenshots
n/a
Relevant Log Output
Code of Conduct
The text was updated successfully, but these errors were encountered: