Comments (4)
floitsch
commented on August 22, 2024
1
I'm pretty sure that's a mistake of SonarQube then. I just looked at the first vulnerability, and the patch has nothing to do with the double-conversion library: facebook/folly@c321eb5
Searching through the vulnerability database I only found one entry that potentially applies: https://nvd.nist.gov/vuln/detail/CVE-2016-1660
Blink changed an assert into a release assert to handle bad input. I'm open to doing the same change.
from double-conversion.
floitsch
commented on August 22, 2024
I will have another look later, but at first glance those vulnerabilities don't seem to apply to this library.
For example, the first one talks about SSL sockets, which has nothing to do with double-conversion (unless this library is used under the hood).
from double-conversion.
congshengwu
commented on August 22, 2024
Wow, thanks for the quick reply. I am using React Native to build the mobile app, and double-conversion is part of the dependencies of React Native.
We have CI&CD on a Linux server and use SonarQube to scan the vulnerabilities during the app package building. Here is more detail from the SonarQube scan result:
-
Filename: DoubleConversion:3.2.1 | Reference: CVE-2019-11934 | CVSS Score: 9.8 | Category: CWE-125 | Improper handling of close_notify alerts can result in an out-of-bounds read in AsyncSSLSocket. This issue affects folly prior to v2019.11.04.00.
-
Filename: DoubleConversion:3.2.1 | Reference: CVE-2021-24036 | CVSS Score: 9.8 | Category: CWE-787 | Passing an attacker controlled size when creating an IOBuf could cause integer overflow, leading to an out of bounds write on the heap with the possibility of remote code execution. This issue affects versions of folly prior to v2021.07.22.00. This issue affects HHVM versions prior to 4.80.5, all versions between 4.81.0 and 4.102.1, all versions between 4.103.0 and 4.113.0, and versions 4.114.0, 4.115.0, 4.116.0, 4.117.0, 4.118.0 and 4.118.1.
-
Filename: DoubleConversion:3.2.1 | Reference: CVE-2008-0660 | CVSS Score: 9.3 | Category: CWE-119 | Multiple stack-based buffer overflows in Aurigma Image Uploader ActiveX control (ImageUploader4.ocx) 4.6.17.0, 4.5.70.0, and 4.5.126.0, and ImageUploader5 5.0.10.0, as used by Facebook PhotoUploader 4.5.57.0, allow remote attackers to execute arbitrary code via long (1) ExtractExif and (2) ExtractIptc properties.
from double-conversion.
congshengwu
commented on August 22, 2024
I have double-checked the content of the Sonarqube result. You're right, they are not related to double-conversion.
Thanks for your time, I will close the issue then.
from double-conversion.
Related Issues (20)
- How to "install" built libraries on Windows HOT 4
- make-ing library on Windows 10 HOT 11
- Maximum string length DoubleToStringConverter::EcmaScriptConverter() ToShortest? 26 chars? HOT 8
- kMaxFixedDigitsAfterPoint should be increased from 60 to 100 HOT 2
- StringToDoubleConverter::StringToDouble slower than dtoa HOT 3
- `StringToDoubleConverter::StringTo<FloatingPoint>` member function templates HOT 3
- Add generic (template) methods for `to_string` (float or double). HOT 2
- New tag/version since 2019? HOT 2
- [bug] ieee.h: Wrong QuietNaN bit check on mips* architectures HOT 1
- Kindly add installation of Windows debugger files (pdb)? HOT 5
- FastFixedDtoa incorrect rounding. HOT 1
- Fix -Wzero-as-null-pointer-constant warnings HOT 12
- Tag a v3.2.1 release? HOT 2
- Various warnings compiling with visual studio HOT 1
- Insecure API when using in React Native iOS app HOT 1
- Set GitHub Workflow permissions to read only HOT 1
- Hash Pin Github Owned Actions HOT 3
- Enable OpenSSF Scorecard Action and Badge HOT 1
- question: does abseil-cpp cover double-conversion functionality HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from double-conversion.