Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update of libpng and zlib in component PDF #4582

Closed
Spaky opened this issue Jun 13, 2024 · 1 comment
Closed

Update of libpng and zlib in component PDF #4582

Spaky opened this issue Jun 13, 2024 · 1 comment
Assignees
@matejk
Labels
enhancement fixed security
Milestone
Release 1.14.0

Comments

@Spaky
Copy link
Contributor

Spaky commented Jun 13, 2024
edited
Loading

Hello,

we should update libpng, zlib sources which are part of component PDF because the current included versions has several CVEs.
PDF in poco 1.13.3 uses:

  • zlib 1.2.3
  • libpng 1.2.24

||Severity||Vulnerability Id||CVSS 3 Score||Published||
|Critical|CVE-2022-37434|9,8|05.08.2022|
|Critical|CVE-2010-1205|9,8|30.06.2010|
|Critical|CVE-2017-12652|9,8|10.07.2019|
|High|CVE-2011-2692|8,8|17.07.2011|
|High|CVE-2016-10087|7,5|30.01.2017|
|High|CVE-2015-8472|7,3|21.01.2016|
|Medium|WS-2020-0368|6,5|22.02.2020|
|Medium|CVE-2010-2249|6,5|30.06.2010|
|Medium|CVE-2011-2501|6,5|17.07.2011|
|Medium|CVE-2011-2691|6,5|17.07.2011|
|Medium|CVE-2008-6218|5,9|20.02.2009|
|Medium|CVE-2011-3048|5,6|29.05.2012|
|Medium|CVE-2011-3045|5,6|22.03.2012|
|Medium|CVE-2015-7981|5,3|24.11.2015|
|Medium|CVE-2015-2158|4,9|06.10.2017|
|Low|CVE-2010-0205|3,7|03.03.2010|
|Low|CVE-2008-3964|3,7|11.09.2008|
|Low|CVE-2012-3425|3,7|13.08.2012|

Maybe libharu 2.2.0 should be also updated.
OgreTransporter added a commit to OgreTransporter/poco that referenced this issue Jul 21, 2024
@OgreTransporter
enh(PDF): Upgrade bundled zlib to 1.3.1 (see pocoproject#4582)
c3676f3
OgreTransporter added a commit to OgreTransporter/poco that referenced this issue Jul 21, 2024
@OgreTransporter
enh(PDF): Upgrade bundled libpng to 1.6.43 (see pocoproject#4582)
02266f9
@OgreTransporter OgreTransporter mentioned this issue Jul 21, 2024
Closed
@tbeu
Copy link
Contributor

tbeu commented Aug 13, 2024

Seems odd, that Poco::Foundation and Poco:PDF each contain different versions of zlib.

matejk pushed a commit that referenced this issue Sep 11, 2024
@OgreTransporter @matejk
enh(PDF): Upgrade bundled zlib to 1.3.1 (see #4582)
432b11f
matejk pushed a commit that referenced this issue Sep 11, 2024
@OgreTransporter @matejk
enh(PDF): Upgrade bundled libpng to 1.6.43 (see #4582)
21f9e07
@matejk matejk added this to the Release 1.14.0 milestone Sep 11, 2024
@matejk matejk added this to 1.14 Sep 11, 2024
@matejk matejk self-assigned this Sep 11, 2024
@matejk matejk mentioned this issue Sep 11, 2024
Merged
matejk added a commit that referenced this issue Sep 11, 2024
@matejk
update(zlib): Version 1.3.1 in module PDF (#4582)
bbe9514
matejk added a commit that referenced this issue Sep 11, 2024
@matejk
update(libpng): Version 1.6.43 (#4582)
083ac39
matejk added a commit that referenced this issue Sep 12, 2024
@matejk
update(libpng): Version 1.6.43 (#4582)
2163c20
@matejk matejk mentioned this issue Sep 12, 2024
Merged
@matejk matejk moved this to Done in 1.14 Sep 12, 2024
matejk added a commit that referenced this issue Sep 12, 2024
@matejk
zlib: Version 1.3.1 in module PDF (#4582) (#4681)
b85b496 
* update(zlib): Version 1.3.1 in module PDF (#4582)

* update(zlib): remove gzio from VS project files and Makefile
@matejk matejk added the fixed label Sep 13, 2024
@matejk matejk closed this as completed Nov 28, 2024
@tbeu tbeu mentioned this issue Nov 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matejk matejk

Labels
enhancement fixed security
Projects
1.14
Status: Done
Milestone
Release 1.14.0
Development

No branches or pull requests
3 participants
@matejk @tbeu @Spaky