You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Title: Security Issue: dlib depends on vulnerable libpng version (CVE-2019-17371)
Body:
Hi,
First of all, thank you for your work on dlib — it's a great library!
While analyzing third-party dependencies used in dlib v19.24.8(the newest version), I found that it depends on libpng version 1.6.37 ([source](https://github.com/pnggroup/libpng/tree/v1.6.37)), which has a known security vulnerability:
This vulnerability may lead to memory leaks or potentially be exploited in specific contexts. Although the impact may be limited in some use cases, it's generally recommended to update to a patched version to minimize security risks.
Suggested Fix:
Please consider updating the bundled libpng version in dlib to a newer, non-vulnerable release (e.g., 1.6.38 or later), or document the potential risk if updating is not currently feasible.
Let me know if you'd like help testing with a newer version, or if more information is needed.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Title: Security Issue: dlib depends on vulnerable libpng version (CVE-2019-17371)
Body:
Hi,
First of all, thank you for your work on dlib — it's a great library!
While analyzing third-party dependencies used in dlib v19.24.8(the newest version), I found that it depends on libpng version 1.6.37 ([source](https://github.com/pnggroup/libpng/tree/v1.6.37)), which has a known security vulnerability:
CVE-2019-17371
png_malloc_warn(in [pngmem.c](https://github.com/davisking/dlib/blob/v19.24.8/dlib/external/libpng/pngmem.c)) andpng_create_info_struct(in [png.c](https://github.com/davisking/dlib/blob/v19.24.8/dlib/external/libpng/png.c)) .This vulnerability may lead to memory leaks or potentially be exploited in specific contexts. Although the impact may be limited in some use cases, it's generally recommended to update to a patched version to minimize security risks.
Suggested Fix:
Please consider updating the bundled libpng version in dlib to a newer, non-vulnerable release (e.g., 1.6.38 or later), or document the potential risk if updating is not currently feasible.
Let me know if you'd like help testing with a newer version, or if more information is needed.
Thanks again!
Beta Was this translation helpful? Give feedback.
All reactions