SkiaSharp - Vulneralable

neemlal · September 26, 2023, 1:01pm

Team,

         We are using aspose.cells version 23.6.0, our security team has marked SkiaSharp as high vulnerable package.

For me to deploy, i need an fix for this. Does aspose has any workaround for this ?

amjad.sahi · September 26, 2023, 1:22pm

@neemlal,

If you are using Windows platform, you may use System.Drawing.Common instead of SkiaSharp library as a dependency of graphics. See the document for your reference.
https://docs.aspose.com/cells/net/how-to-run-aspose-cells-for-net6/

neemlal · September 26, 2023, 4:29pm

I am using Web API(.net core - 6.0)

amjad.sahi · September 26, 2023, 5:30pm

@neemlal,

Also, what is your OS or target OS? We will also check the vulnerability for SkiaSharp and get back to you.

neemlal · September 27, 2023, 6:41am

as of now, our target OS is windows.

John.He · September 27, 2023, 7:05am

@neemlal
We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.

Issue ID(s): CELLSNET-54299

You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.

neemlal · September 27, 2023, 7:10am

So you mean to say no work around for this as of now?
What if i install

System.Drawing.Common, 4.7.0.
System.Security.Cryptography.Pkcs, 5.0.1.
System.Text.Encoding.CodePages, 4.7.0.

will it replace Skiasharp ?

John.He · September 27, 2023, 7:31am

@neemlal
We will investigate the issue of SkiaSharp vulnerabilities. If you use the Windows system and use System.Drawing.Common as the graphics library, you can choose not to use SkiaSharp. We use SkiaSharp install of System.Drawing.Common in non Windows systems.
Please refer to the following documents:

peyton.xu · September 27, 2023, 7:35am

@neemlal,

What is the vulnerability in SkiaSharp(which version) reported by your security team? Could you please share us some more details. e.g. some reference links about the vulnerability?

neemlal · September 27, 2023, 8:09am

the vulnerability is marked to CVE-2023-4863

John.He · September 27, 2023, 8:14am

@neemlal
Thanks for further details. Let us investigate and analyze your issue in details. Hopefully we could figure it out soon. Once we have an update on it, we will let you know.

John.He · September 28, 2023, 6:15am

@neemlal
SkiaSharp has resolved the vulnerability of CVC-2023-4863. You can update the version to solve the issue. Please check the documentation.

github.com/mono/SkiaSharp

[BUG] SkiaSharp vendors libwebp vulnerable to CVE-2023-4863

opened 05:41PM - 14 Sep 23 UTC

closed 05:56PM - 19 Sep 23 UTC

delroth

type/bug

### Description SkiaSharp vendors (via mono/skia) a version of libwebp that is …vulnerable to CVE-2023-4863. Upstream skia picked up the fixed libwebp via https://github.com/google/skia/commit/1176deb1ac552f05092be69fc30b49245bb9f897 Please: 1. Update mono's skia fork. 2. Release a new SkiaSharp version which isn't vulnerable to CVE-2023-4863 anymore. 3. Update the GHSA for CVE-2023-4863 (https://github.com/advisories/GHSA-j7hp-h8jx-5ppr) so that dependents get alerted of the vulnerability in SkiaSharp. (Happy to take care of that myself otherwise when a new release is available) Thank you! ### Code n/a ### Expected Behavior _No response_ ### Actual Behavior _No response_ ### Version of SkiaSharp 2.88.3 (Current) ### Last Known Good Version of SkiaSharp Other (Please indicate in the description) ### IDE / Editor Other (Please indicate in the description) ### Platform / Operating System All ### Platform / Operating System Version _No response_ ### Devices _No response_ ### Relevant Screenshots _No response_ ### Relevant Log Output _No response_ ### Code of Conduct - [X] I agree to follow this project's Code of Conduct

neemlal · October 3, 2023, 7:30am

just updating skiasharp version to 2.88.6 will help me out ?

amjad.sahi · October 3, 2023, 7:49am

@neemlal,

Yes, your understanding is correct.

aspose.notifier · October 12, 2023, 12:13pm

The issues you have found earlier (filed as CELLSNET-54299) have been fixed in this update. This message was posted using Bugs notification tool by johnson.shi