Please backport CVE-2024-27929 to 2.1.x

[mfeingol]

Prerequisites

• [X] I have written a descriptive issue title
• [X] I have verified that I am running the latest version of ImageSharp
• [X] I have verified if the problem exist in both DEBUG and RELEASE mode
• [X] I have searched open and closed issues to ensure it has not already been reported

ImageSharp version

2.1.6

Other ImageSharp packages and versions

N/A

Environment (Operating system, version and so on)

N/A

.NET Framework version

N/A

Description

cf https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-65x7-c272-7g7r

Steps to Reproduce

N/A

Images

No response

[JimBobSquarePants]

Do not abuse the issue tracker like this.

[mfeingol]

My apologies. Why is this abusing the issue tracker?

[JimBobSquarePants]

Please see the highlighted checkbox

v2.1.6 is a full major version behind the latest stable release v3.1.3. As such, your completion of this is incorrect. v3.0.0 was released over one year ago and I am actively working on v4 now. You should upgrade your working version to the latest release.

[mfeingol]

I see. I need to support .NET Standard 2.0 libraries that cannot upgrade to 3.x. Because 3.x no longer supports .NET Standard 2.0, it seemed reasonable to at least request CVE backports, at least for some time.

[ispysoftware]

@JimBobSquarePants There's lots of software running imagesharp that is using net framework 4.7.2 and has not been ported to net 6 (and it isn't possible to port some of it due to missing feature sets on windows). Net framework 4.7.2 is LTS to 2032. Can't add a reference to net 6 from a 4.7.2 full framework application. Ideally there'd be net standard 2 compatible builds of 3.x

[JimBobSquarePants]

There's lots of software running imagesharp that is using net framework 4.7.2 and has not been ported to net 6

Yes, there may well be, however.

Almost nobody contributes code Almost nobody purchases licenses

If they had and it was possible to actually maintain the libraries to a degree that would allow me to actually either earn a living working on them or pay others to assist then there would be more comprehensive support.

Ideally there'd be net standard 2 compatible builds of 3.x

See https://github.com/SixLabors/ImageSharp/discussions/2378 regarding discussions around target frameworks.

[ispysoftware]

Understood, sorry i had the distinct impression this was Microsoft sponsored for some reason.

[mfeingol]

Thanks all for the discussion.

I think there's a difference between active new feature support and CVE backports. But regardless.

My current use of ImageSharp is to read image dimensions from certain images. The simplest path for me is to switch to something else that supports the platforms I currently need to target. It looks like SkiaSharp has that basic functionality, so I'll be switching to that.

[tiesont]

Understood, sorry i had the distinct impression this was Microsoft sponsored for some reason.

At one time, ImageSharp was part of the .NET Foundation. Not the case anymore. See https://dotnetfoundation.org/news-events/detail/update-on-imagesharp if you want their take on it.

[JimBobSquarePants]

That didn't involve any funding though.

Anyway... The fix has been backported.

[ispysoftware]

Thanks @JimBobSquarePants it's much appreciated. I tried the updated version but i'm still getting a warning in visual studio

[tiesont]

Thanks @JimBobSquarePants it's much appreciated. I tried the updated version but i'm still getting a warning in visual studio

NuGet doesn't show an advisory - have you rebuilt the project and/or refreshed your NuGet feed?

[ispysoftware]

@tiesont yes i've tried turning it off and on again and everything. Clean/ Rebuild, Restart etc. It's weird as it doesn't say "Vulnerable" in the Version dropdown in package manager but does in the solution explorer

[JimBobSquarePants]

Delete your .vs folder. If that doesn't work, try deleting your local NuGet cache.

If that doesn't work I'd suggest reporting the issue to Microsoft as everything is correctly marked at the source.

[ispysoftware]

cleared the nuget cache via Tools > NuGet Package Manager > Package Manager Console deleted .vs folder still shows as vulnerable

created an entirely new project and referenced 2.1.7 - shows as vulnerable in solution explorer tried it on another pc - same results

maybe someone else wants to try it?

[tiesont]

cleared the nuget cache via Tools > NuGet Package Manager > Package Manager Console deleted .vs folder still shows as vulnerable

created an entirely new project and referenced 2.1.7 - shows as vulnerable in solution explorer tried it on another pc - same results

maybe someone else wants to try it?

I see the same behavior, but like @JimBobSquarePants says, this is 99.999% likely to be a Visual Studio or Nuget Package Manager bug, not an issue with ImageSharp.

[ispysoftware]

ok thanks for confirming - maybe it'll resolve itself / some cache somewhere needs to reset.

[JimBobSquarePants]

There must be something VS uses that caches the vulnerability list. I can install the version fine and as you say is doesn't show as vulnerable in the package manager but yes it shows as vulnerable in the dependencies. I would definitely raise this upstream.

[tiesont]

Would this be worth adding as a new discussion here, just to have a place to direct this conversion that isn't polluting this particular issue?

I'm currently looking in the issue tracker for the NuGet client tools to see if it's been reported yet, regardless.

[JimBobSquarePants]

It's really not relevant to this repository at all now. The package is published and explicitly marked as safe.