Free Support Forum - aspose.com

Usage of SharpZipLib with Aspose

Hello!
We are doing an internal security audit and have identified that Aspose.Cells (and probably other) might be using a third-party SharpZipLib library that is known to have a ‘medium’ (base score) vulnerability https://nvd.nist.gov/vuln/detail/CVE-2018-1002208
Does the usage of this SharpZipLib potentially expose the customers of Aspose to the same risk?

Plus, if you are using SharpZipLib with Aspose, which version do you use?

I would highly appreciate your response.

@muqadam.mirza,
We have noted your concern and logged it in our database for further investigation. You will be notified here once any update is ready for sharing.

This requirement is logged for Aspose.Cells as follows:
CELLSNET-47902 - Is usage of SharpZipLib safe with Aspose.Cells?

We are gathering details for other products as well and will share at the earliest.

1 Like

@muqadam.mirza,
We have further discussed this issue for other products as follows:

  • Aspose.PDF implements JZLib which is also mentioned in third party license file.
  • For Aspose.Slides, we do not use SharpZipLib. We’re using some sources from ‘DotNetZip’ library (http://dotnetzip.codeplex.com/) and this is mentioned in our third party licenses for Aspose.Slides for NET pdf document.
  • For Aspose.CAD, we do not use the specified one.
1 Like

Thank you very much for your prompt response. I am looking forward for the Aspose.Cells query as well :slight_smile:

@ahsaniqbalsidiqui Can I get that third party license file? If that is possible, it would help me in the security audit of our libraries :slight_smile:

@muqadam.mirza,

  1. DotNetZip is used in Aspose.Cells to extract zip files. Please check the list of third parties in your installation diretory, e.g., “…\Aspose\Aspose.Cells for .NET\License\thirdpartylicenses.Aspose.Cells.for.NET.pdf” when you install it via Aspose.Cells.msi installer.

  2. We do no extract the zipped files to temporary directories. We read all data from stream into API. So there is no Zip Slip vulnerability in Aspose.Cells whatsoever.

Hope, this helps a bit.

1 Like

It does help! Thank you very much. @Amjad_Sahi

@muqadam.mirza,

You are welcome.

1 Like