Avalonia icon indicating copy to clipboard operation
Avalonia copied to clipboard
verified publisher icon AvaloniaUI

av_libglesv2.dll and ibSkiaSharp.dll reference an outdayed zlib and libjpeg-turbo

Open SergeyGulik opened this issue 1 year ago • 2 comments

Is your feature request related to a problem? Please describe.

Our security scan complains about two things:

  • runtimes/win-x64/native/av_libglesv2.dll uses zlib.dll of version 1.2.11, recommended is 1.3.1
  • runtimes/win-x64/native/libSkiaSharp.dll uses libjpeg-turbo.dll of version 2.1.5, recommended is 3.0.0. Yes, you do not distribute these dlls :) But the security scan still complains.

Describe the solution you'd like

May I ask you to update av_libglesv2.dll and ibSkiaSharp.dll to the latest versions in one of your upcoming releases? Hopefully, their vendors have already addressed the issues and use the newest zlib and libjpeg-turbo.

Describe alternatives you've considered

No response

Additional context

No response

SergeyGulik avatar May 17 '24 08:05 SergeyGulik

11.1 beta can be used with SkiaSharp 3, but we can only support it for 12.0 completely due to breaking changes.

timunie avatar May 17 '24 14:05 timunie

SkiaSharp's update of libjpeg-turbo is blocked by a potential upstream bug: https://github.com/mono/SkiaSharp/issues/2667#issuecomment-1883754749 . The comment includes some details and how the vulnerable feature isn't actually part of the SkiaSharp build.

Avalonia does ship its own ANGLE lib which seems to be on zlib 1.2.13. The current upstream main is on 1.3.0.1, so even if it's updated on Avalonia's end, it won't be 1.3.1.

stevemonaco avatar May 17 '24 14:05 stevemonaco