search

hex007 / freej2me

A free J2ME emulator with libretro, awt and sdl2 frontends.
Other
501 stars 78 forks source link

insecure dependency: Freeimage is littered with CVEs #221

Open Sigmanificient opened 4 months ago

Sigmanificient commented 4 months ago

Hi, I am currently porting freej2me to nixpkgs (a linux package repository). Unfortunately, the package is stuck in draft due to the Freeimage dependency, which is littered with CVEs:

CVE-2021-33367
CVE-2021-40262
CVE-2021-40263
CVE-2021-40264
CVE-2021-40265
CVE-2021-40266
CVE-2023-47992
CVE-2023-47993
CVE-2023-47994
CVE-2023-47995
CVE-2023-47996

Due to the insecure nature of the dependency, it cannot be merged at the current state. I know that freej2me may not have high security concerns as it isn't a critical application, but I think using a freeimage should be avoided in it's current state.

I hope this can mark the start to migrating towards a vulnerability-free graphics library.

recompileorg commented 4 months ago

This project is not dependent on Freeimage.

The main project is pure Java. The Libretro core is not dependent on Freeimage.

The only thing that uses Freeimage is @hex007 's SDL interface, which like the Libretro core, is completely optional.

Sigmanificient commented 4 months ago

Thanks for your clarification, this is a great news