Closed Jayl1n closed 3 years ago
@dhowden: We are currently facing vulnerability(CVE-2020-29242) on similar lines for a different package:
Error: dhowden tag before 2020-11-19 allows "panic: runtime error: index out of range" via readPICFrame.
Package: taglibs-standard-impl-1.2.5
From the maven repository, 1.2.5(https://mvnrepository.com/artifact/org.apache.taglibs/taglibs-standard-spec) seems to be the latest package available. Can you please suggests any workaround for the issue??
Hi @swapnilpotnis
This issue (along with a few others) were fixed on 2020-11-20.
I'm not familiar with that Java library, but the description is "An implementation of the JSP Standard Tag Library (JSTL) Specification API", dated 2015, which does not seem to be related to extracting metadata from music files?
How are you seeing this error? If you need to make a quick fix, I would recommend wrapping all calls to this library with recover methods so that you can stop panics before they crash the running process: see https://blog.golang.org/defer-panic-and-recover for more details.
@swapnilpotnis Getting the error from https://github.com/jeremylong/DependencyCheck? Looks a like a false positive to me.
Hello, I found some vulnerability in this respository, they are could be used to cause a denial of service via decode some evil file.
This is the first vulnerability in id3v2frames.go.
In readPICFrame function, you don't check the size of b parameter. If the size of b is zero or less than 6 , program will happen panic.
testcase 147678a9d5f9418743fccc6bd8e9e2ca8f4f2f59.zip
info