Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix stack overflow #190

Merged
merged 4 commits into from
Jul 24, 2019
Merged

Fix stack overflow #190

merged 4 commits into from
Jul 24, 2019

Conversation

drewnoakes
Copy link
Owner

Fixes the .NET side of drewnoakes/metadata-extractor#419.

@drewnoakes drewnoakes requested a review from kwhopper July 23, 2019 09:43
@drewnoakes drewnoakes force-pushed the fix-issue-419-stack-overflow branch from 26f7c82 to d361bbc Compare July 23, 2019 13:29
kwhopper
kwhopper approved these changes Jul 23, 2019
View reviewed changes
Copy link
Collaborator

@kwhopper kwhopper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like you updated PanasonicRawWbInfo2Descriptor as well. You might do the same thing on the Java side before approving that one.

But on the dotnet side, this all seems reasonable.

@drewnoakes drewnoakes merged commit c9a8a9a into master Jul 24, 2019
@drewnoakes drewnoakes deleted the fix-issue-419-stack-overflow branch July 24, 2019 00:34
@benSlaughter
Copy link

👋 Hi @drewnoakes @kwhopper I'm a member of the GitHub software security team.
I'm not sure if you are aware of it but we have had CVE-2019-14262 come to our attention. I saw that this pull request is a fix, but it has not been released yet.
Would you be happy to create a Security Advisory for this and publish it once you have released a fixed version?
Our tooling will pick that advisory up once you publish it and we'll send alerts to your users including the details you write there, along with details of the fixed version.
I've put a one week hold on this on our side in the meantime.

@VPKSoft
Copy link

VPKSoft commented Oct 26, 2019

Hi,
I'm sorry to ask you to hurry a fixed release to come available. This is a great library and I haven't had any issues with this stack overflow happening - however if this is noticed by a security analysts as a moderate security flaw, it shouldn't 🙄 take many minutes to create a new NuGet release of the software as the source code seems already to be fixed. I would actually be happy if anyone would report a security flaw within my projects, but not being as popular as this - no one probably will not 🤔.
Thanks again for the great software 👍

@drewnoakes
Copy link
Owner Author

Version 2.2.0 is released which includes this fix along with several other improvements.

@VPKSoft
Copy link

VPKSoft commented Oct 27, 2019

Thank you - no more security alerts from the GitHub then 😀

This was referenced Nov 19, 2019
Open
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Dec 18, 2019
Open
@philipjss
Copy link

@drewnoakes hello - I am looking for a non-dotnet version of this library that contains the same whitesource vulnerability fix. I see that the dotnet version with the fix is 2.2.0, dated 27 Oct 2019.

Am I right in assuming that non-dotnet versions 2.12.0 (6 Jul 2019) and 2.13.0 (21 Jan 2020) contain the same fix?

Thanks,

Philip

@philipjss philipjss mentioned this pull request Feb 19, 2020
Closed
@drewnoakes
Copy link
Owner Author

@philipjss I assume you're referring to the Java implementation. For that library, version 2.13.0 contains the stack overflow fix.

https://github.com/drewnoakes/metadata-extractor/releases/tag/2.13.0

philipjss added a commit to philipjss/scrimage that referenced this pull request Feb 20, 2020
@philipjss
upgrade to metadata-extractor version without stack overflow vulnerab…
1d020ff 
…ility

scrimage currently uses metadata-extractor 2.12.0, which suffers from a stackoverflow vulnerability (see drewnoakes/metadata-extractor-dotnet#190 for details - in the dotnet version of metadata-extractor)

The vulnerability is fixed in version 2.13.0 of metadata-extractor (see drewnoakes/metadata-extractor-dotnet#190 (comment)).

Can we please upgrade to metadata-extractor 2.13.0?
@philipjss philipjss mentioned this pull request Feb 20, 2020
Merged
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Oct 14, 2020
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Dec 15, 2020
Closed
@dependabot dependabot bot mentioned this pull request Mar 13, 2021
Open
This was referenced Apr 5, 2021
Closed
Open
@mend-for-github-com mend-for-github-com bot mentioned this pull request May 20, 2021
Closed
jasonmasui added a commit to jasonmasui/scrimage that referenced this pull request Aug 15, 2024
@jasonmasui
upgrade to metadata-extractor version without stack overflow vulnerab…
fa72438 
…ility

scrimage currently uses metadata-extractor 2.12.0, which suffers from a stackoverflow vulnerability (see drewnoakes/metadata-extractor-dotnet#190 for details - in the dotnet version of metadata-extractor)

The vulnerability is fixed in version 2.13.0 of metadata-extractor (see drewnoakes/metadata-extractor-dotnet#190 (comment)).

Can we please upgrade to metadata-extractor 2.13.0?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kwhopper kwhopper kwhopper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@drewnoakes @benSlaughter @VPKSoft @philipjss @kwhopper