Please backport CVE-2024-27929 to 2.1.x about imagesharp HOT 20 CLOSED

There's lots of software running imagesharp that is using net framework 4.7.2 and has not been ported to net 6

Yes, there may well be, however.

Almost nobody contributes code
Almost nobody purchases licenses

If they had and it was possible to actually maintain the libraries to a degree that would allow me to actually either earn a living working on them or pay others to assist then there would be more comprehensive support.

Ideally there'd be net standard 2 compatible builds of 3.x

See
#2378 regarding discussions around target frameworks.

from imagesharp.

Do not abuse the issue tracker like this.

from imagesharp.

I see. I need to support .NET Standard 2.0 libraries that cannot upgrade to 3.x. Because 3.x no longer supports .NET Standard 2.0, it seemed reasonable to at least request CVE backports, at least for some time.

from imagesharp.

That didn't involve any funding though.

Anyway... The fix has been backported.

from imagesharp.

It's really not relevant to this repository at all now. The package is published and explicitly marked as safe.

from imagesharp.

@JimBobSquarePants There's lots of software running imagesharp that is using net framework 4.7.2 and has not been ported to net 6 (and it isn't possible to port some of it due to missing feature sets on windows). Net framework 4.7.2 is LTS to 2032. Can't add a reference to net 6 from a 4.7.2 full framework application. Ideally there'd be net standard 2 compatible builds of 3.x

from imagesharp.

Delete your .vs folder. If that doesn't work, try deleting your local NuGet cache.

If that doesn't work I'd suggest reporting the issue to Microsoft as everything is correctly marked at the source.

from imagesharp.

My apologies. Why is this abusing the issue tracker?

from imagesharp.

Please see the highlighted checkbox

v2.1.6 is a full major version behind the latest stable release v3.1.3. As such, your completion of this is incorrect. v3.0.0 was released over one year ago and I am actively working on v4 now. You should upgrade your working version to the latest release.

from imagesharp.

Understood, sorry i had the distinct impression this was Microsoft sponsored for some reason.

from imagesharp.

Thanks all for the discussion.

I think there's a difference between active new feature support and CVE backports. But regardless.

My current use of ImageSharp is to read image dimensions from certain images. The simplest path for me is to switch to something else that supports the platforms I currently need to target. It looks like SkiaSharp has that basic functionality, so I'll be switching to that.

from imagesharp.

Understood, sorry i had the distinct impression this was Microsoft sponsored for some reason.

At one time, ImageSharp was part of the .NET Foundation. Not the case anymore. See https://dotnetfoundation.org/news-events/detail/update-on-imagesharp if you want their take on it.

from imagesharp.

Thanks @JimBobSquarePants it's much appreciated.
I tried the updated version but i'm still getting a warning in visual studio

from imagesharp.

Thanks @JimBobSquarePants it's much appreciated. I tried the updated version but i'm still getting a warning in visual studio

NuGet doesn't show an advisory - have you rebuilt the project and/or refreshed your NuGet feed?

from imagesharp.

@tiesont yes i've tried turning it off and on again and everything. Clean/ Rebuild, Restart etc.
It's weird as it doesn't say "Vulnerable" in the Version dropdown in package manager but does in the solution explorer

from imagesharp.

cleared the nuget cache via Tools > NuGet Package Manager > Package Manager Console
deleted .vs folder
still shows as vulnerable

created an entirely new project and referenced 2.1.7 - shows as vulnerable in solution explorer
tried it on another pc - same results

maybe someone else wants to try it?

from imagesharp.

cleared the nuget cache via Tools > NuGet Package Manager > Package Manager Console deleted .vs folder still shows as vulnerable

created an entirely new project and referenced 2.1.7 - shows as vulnerable in solution explorer tried it on another pc - same results

maybe someone else wants to try it?

I see the same behavior, but like @JimBobSquarePants says, this is 99.999% likely to be a Visual Studio or Nuget Package Manager bug, not an issue with ImageSharp.

from imagesharp.

ok thanks for confirming - maybe it'll resolve itself / some cache somewhere needs to reset.

from imagesharp.

There must be something VS uses that caches the vulnerability list. I can install the version fine and as you say is doesn't show as vulnerable in the package manager but yes it shows as vulnerable in the dependencies. I would definitely raise this upstream.

from imagesharp.

Would this be worth adding as a new discussion here, just to have a place to direct this conversion that isn't polluting this particular issue?

I'm currently looking in the issue tracker for the NuGet client tools to see if it's been reported yet, regardless.

from imagesharp.