SkiaSharp needs to be updated due to a well documented Vulnerability

FreakyAli / Maui.FreakyControls

FreakyControls is a free OSS UI Kit for .NET MAUI which provides a set of controls and utilities to build modern mobile apps.

MIT License

312 stars 37 forks source link

SkiaSharp needs to be updated due to a well documented Vulnerability #140

Closed usefulBeeing closed 1 month ago

usefulBeeing commented 3 months ago

Description

I'm getting the following error while testing the <freakyControls:FreakyAutoCompleteView /> control:

Exception thrown: 'Microsoft.Maui.Platform.HandlerNotFoundException' in Microsoft.Maui.dll Handler not found for view Maui.FreakyControls.FreakyAutoCompleteView.

Actual Behavior

I'm assuming this might have something to do with upgrading to the latest SkiaSharp version after learning about the existing vulnerability with older versions.

Screenshots

FreakyAli commented 3 months ago

Was this working with the older versions of SkiaSharp?

Just FYI, the controls only support Android and iOS for the time being.

Also if you're running Android or iOS, can you try the latest pre-release and see if that works

usefulBeeing commented 3 months ago

Good points!

Was this working with the older versions of SkiaSharp?

I uninstalled SkiaSharp completely. So this is not what triggers the issue with the FreakyAutoCompleteView control.

With that said, the SkiaSharp version that ships with the NuGet package needs to be updated to the latest stable regardless, due to the vulnerability mentioned earlier.

Just FYI, the controls only support Android and iOS for the time being.

I tested using Android 14.0 Pixel 5 Emulator, and the app just freezes.

I also tested using the Windows Machine, then the Handler not found exception is thrown.

This exception appears to affect FreakySignatureCanvasView and FreakySignaturePadView, as well as FreakyAutoCompleteView.

FreakyAutoCompleteView appears to be the only control that causes the Android Emulator to freeze.

Also if you're running Android or iOS, can you try the latest pre-release and see if that works.

I rolled back to 0.4.9, same results.

FreakyAli commented 3 months ago

I'll check this once I'm a bit free for now though you'll have to make do with the pre-release v5.0

FreakyAli commented 3 months ago

I'm actually a bit busy for the next couple of months so I cannot check this, if you could narrow the issue down I could fix it and try releasing, but for the time being I might not be able to help here!

usefulBeeing commented 3 months ago

if you could narrow the issue down I could fix it and try releasing.

Since you're obviously busy, I will try to narrow this down. Regarding other issues, I might break them down into separate posts for future reference; for when you have more time.

To get down to the point:

The current freaky stable NuGet release recommends SkiaSharp 2.88.0 and above. The pre-release v5.0 recommends SkiaSharp 2.88.3 and above.

Both 2.88.0 and 2.88.3 are marked as Vulnerable.

Secure SkiaSharp versions start at 2.88.6 and above.

If you plan on a quick emergency release, it should tackle this one issue in my opinion.

FreakyAli commented 3 months ago

Cool