Skip to content

chore: address CVE-2023-42282 #1836

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 12, 2024
Merged

chore: address CVE-2023-42282 #1836

merged 1 commit into from
Feb 12, 2024
+2 −8

Conversation

@tido64
Copy link
Member

@tido64 tido64 commented Feb 12, 2024

Description

The only difference between 1.1.8 and 2.0.0 is the use of Buffer.alloc instead of new Buffer (diff).

For details on the CVE, see GHSA-78xj-cgh5-2h22.

Platforms affected

  • Android
  • iOS
  • macOS
  • Windows

Test plan

n/a

@tido64 tido64 requested a review from kelset as a code owner February 12, 2024 10:22
@tido64 tido64 merged commit 37e4e05 into trunk Feb 12, 2024
@tido64 tido64 deleted the tido/address-CVE-2023-42282 branch February 12, 2024 10:47
@levpachmanov
Copy link

levpachmanov commented Feb 12, 2024

Hi @tido64 @kelset,

[email protected] is affected by CVE-2023-42282 - github/advisory-database#3504
Unfortunately, the library is no longer maintained, so there is no public solution.

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an ip 1.1.8-sp and 2.0.0-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at [email protected] if you have any requests/questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kelset kelset kelset approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tido64 @levpachmanov @kelset