Skip to content

The dependency libjpeg 9b has critical CVEs #4150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
blzheng opened this issue Jul 2, 2021 · 1 comment
Closed

The dependency libjpeg 9b has critical CVEs #4150

blzheng opened this issue Jul 2, 2021 · 1 comment
Labels
dependency issue

Comments

@blzheng
Copy link

blzheng commented Jul 2, 2021

🐛 Bug

The version of the dependency libjpeg is pinned to <= 9b (#3787), but libjpeg 9b has critical CVEs listed below. All those issues are related to out-of-bound memory access with may cause unexpected application behavior. However, these issues are fixed in libjpeg 9d.

CVE-2020-14152
CVE-2020-14153

So do you have the plan to remove libjpeg pinning to enable users to use libjpeg 9d?
@farleylai farleylai mentioned this issue Jul 8, 2021
Open
@fmassa
Copy link
Member

fmassa commented Oct 20, 2021

Hi,

We've unpinned the libjpeg version in #4288

Does this fix the issue you mentioned?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependency issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@datumbox @pmeier @fmassa @blzheng