Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerabilities in dependencies #72

Open
Klaus-Tockloth opened this issue Jan 29, 2025 · 0 comments
Open

Vulnerabilities in dependencies #72

Klaus-Tockloth opened this issue Jan 29, 2025 · 0 comments

Comments

@Klaus-Tockloth
Copy link

The current library version has a lot of vulnerabilities in it's dependencies:

% govulncheck ./...
=== Symbol Results ===

Vulnerability #1: GO-2024-3333
    Non-linear parsing of case-insensitive content in golang.org/x/net/html
  More info: https://pkg.go.dev/vuln/GO-2024-3333
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: renderer.go:523:24: term.renderer.renderHTMLBlock calls html.Parse

Vulnerability #2: GO-2024-3205
    Infinite loop in github.com/gomarkdown/markdown
  More info: https://pkg.go.dev/vuln/GO-2024-3205
  Module: github.com/gomarkdown/markdown
    Found in: github.com/gomarkdown/[email protected]
    Fixed in: github.com/gomarkdown/[email protected]
    Example traces found:
      #1: markdown.go:29:19: term.Render calls markdown.Parse, which calls parser.Parser.Parse

Vulnerability #3: GO-2024-2937
    Panic when parsing invalid palette-color images in golang.org/x/image
  More info: https://pkg.go.dev/vuln/GO-2024-2937
  Module: golang.org/x/image
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: renderer.go:907:42: term.renderer.renderImage calls ansimage.NewScaledFromReader, which eventually calls tiff.Decode

Vulnerability #4: GO-2023-2074
    Parser out-of-bounds read caused by a malformed markdown input in
    github.com/gomarkdown/markdown
  More info: https://pkg.go.dev/vuln/GO-2023-2074
  Module: github.com/gomarkdown/markdown
    Found in: github.com/gomarkdown/[email protected]
    Fixed in: github.com/gomarkdown/[email protected]
    Example traces found:
      #1: markdown.go:32:18: term.Render calls markdown.Render, which eventually calls parser.Parser.Inline
      #2: markdown.go:29:19: term.Render calls markdown.Parse, which calls parser.Parser.Parse

Vulnerability #5: GO-2023-1990
    Excessive CPU consumption when decoding 0-height images in
    golang.org/x/image/tiff
  More info: https://pkg.go.dev/vuln/GO-2023-1990
  Module: golang.org/x/image
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: renderer.go:907:42: term.renderer.renderImage calls ansimage.NewScaledFromReader, which eventually calls tiff.Decode

Vulnerability #6: GO-2023-1989
    Excessive resource consumption in golang.org/x/image/tiff
  More info: https://pkg.go.dev/vuln/GO-2023-1989
  Module: golang.org/x/image
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: renderer.go:907:42: term.renderer.renderImage calls ansimage.NewScaledFromReader, which eventually calls tiff.Decode

Vulnerability #7: GO-2023-1572
    Denial of service via crafted TIFF image in golang.org/x/image/tiff
  More info: https://pkg.go.dev/vuln/GO-2023-1572
  Module: golang.org/x/image
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: renderer.go:907:42: term.renderer.renderImage calls ansimage.NewScaledFromReader, which eventually calls tiff.Decode

Your code is affected by 7 vulnerabilities from 3 modules.
This scan also found 2 vulnerabilities in packages you import and 5
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

The problem can be solved by updating the dependencies:

% go get -u
go: upgraded github.com/dlclark/regexp2 v1.4.0 => v1.11.4
go: upgraded github.com/eliukblau/pixterm v1.3.1 => v1.3.2
go: upgraded github.com/fatih/color v1.13.0 => v1.18.0
go: upgraded github.com/gomarkdown/markdown v0.0.0-20220310201231-552c6011c0b8 => v0.0.0-20241205020045-f7e15b2f3e62
go: upgraded github.com/kyokomi/emoji/v2 v2.2.9 => v2.2.13
go: upgraded github.com/mattn/go-colorable v0.1.12 => v0.1.14
go: upgraded github.com/mattn/go-isatty v0.0.14 => v0.0.20
go: upgraded github.com/mattn/go-runewidth v0.0.13 => v0.0.16
go: upgraded github.com/rivo/uniseg v0.2.0 => v0.4.7
go: upgraded golang.org/x/image v0.0.0-20220321031419-a8550c1d254a => v0.23.0
go: upgraded golang.org/x/net v0.0.0-20220401154927-543a649e0bdd => v0.34.0
go: upgraded golang.org/x/sys v0.0.0-20220330033206-e17cdc41300f => v0.29.0

After updating the vulnerabilities are gone:

% govulncheck ./...
No vulnerabilities found.

Please update all dependencies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant