Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE-2021-23792 vulnerability from imageio-jpeg #1336

Closed
CGarces opened this issue Jun 11, 2022 · 1 comment
Closed

Fix CVE-2021-23792 vulnerability from imageio-jpeg #1336

CGarces opened this issue Jun 11, 2022 · 1 comment
Labels
priority: critical To be processed and published ASAP status: accepted Ready to be further processed status: completed Work completed, can be closed type: maintenance The issue is related to a meta task (build system, dependency update, etc)
Milestone

Comments

@CGarces
Copy link

CGarces commented Jun 11, 2022

Hi.

The current version of epubcheck has a vulnerability considered as critical in my current builds, that use epubcheck 4.2.6

See
https://security.snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23792
GHSA-pjch-4g28-fxx7

The vulnerability is caused by one of the dependencies, imageio-jpeg
https://github.com/w3c/epubcheck/blob/main/pom.xml#L210-L214

This security issue was fixed on 3.7.1, but I don't have knowledge to test epubcheck with the upgraded version.

Please note that the version used (3.4.1) is from 2018, last version from that branch is 3.4.3 from 2020 but it not fix the CVE-2021-23792 vulnerability

It's possible to bump the imageio-jpeg dependency?

@CGarces
Copy link
Author

CGarces commented Jun 11, 2022

I have enabled dependabot on my repo
https://github.com/CGarces/epubcheck/blob/main/.github/dependabot.yml

And the automatic PR generated by dependabot for 3.8.2 upgrade, pass the CI scripts.

CGarces#3

@rdeltour rdeltour added type: maintenance The issue is related to a meta task (build system, dependency update, etc) status: accepted Ready to be further processed priority: critical To be processed and published ASAP labels Jun 20, 2022
@rdeltour rdeltour added the status: in progress The issue is being implemented by the development team label Nov 28, 2022
@rdeltour rdeltour added this to the v5.0.0-beta milestone Nov 28, 2022
@rdeltour rdeltour added status: completed Work completed, can be closed and removed status: in progress The issue is being implemented by the development team labels Dec 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
priority: critical To be processed and published ASAP status: accepted Ready to be further processed status: completed Work completed, can be closed type: maintenance The issue is related to a meta task (build system, dependency update, etc)
Projects
None yet
Development

No branches or pull requests

2 participants