Relax version bounds for NPOI's dependency on SharpZipLib #597

malhotrar · 2021-07-14T22:15:58Z

Version 2.5.2 allowed SharpZipLib > 1.2.0; however 2.5.3, requires 1.2.0 and has a valuable fix in #473 that fixes functionality for .NET Core.

My security team uses JFrog's XRay to scan packages - and JFrog has flagged SharpZipLib < 1.3.0 for a high vulnerability:

Summary SharpZipLib Tar/TarArchive.cs TarArchive::ExtractEntry() Function Tar Archive Handling Path Traversal Arbitrary File Write
Type Security
Provider JFrog
Severity High
Update Jun 16, 2021 11:58:41 AM
References
icsharpcode/SharpZipLib@0cbdef2
icsharpcode/SharpZipLib#519
https://github.com/icsharpcode/SharpZipLib/releases/tag/v1.3.0
Infected Component SharpZipLib

Could the nuspec dependencies be relaxed such that I can continue using SharpZipLib > 1.3.0 along with the latest version of NPOI?

The text was updated successfully, but these errors were encountered:

tonyqus · 2021-07-16T23:32:01Z

As I received a few reports that SharpZipLib 1.2.x is not secure anymore, I will change the future release to SharpZipLib >=1.3.1

tonyqus · 2021-08-02T17:01:06Z

NPOI 2.5.4 is released to solve this issue. Please upgrade your nuget reference.

malhotrar mentioned this issue Jul 15, 2021

NPOI 2.5.4 Release Notes #594

Closed

tonyqus modified the milestones: NPOI 2.5.5, NPOI 2.5.4 Jul 16, 2021

tonyqus added the bug label Jul 16, 2021

tonyqus closed this as completed Aug 2, 2021

Provide feedback