Comment by sigmonsays
2 years ago
Trying to nix run it I get a ton of insecure warnings and it lists the CVEs
Is this a nix thing (i'm unsure what freeimage-unstable is)
error: Package ‘freeimage-unstable-2021-11-01’ in /nix/store/20yis5w6g397plssim663hqxdiiah2wr-source/pkgs/development/libraries/freeimage/default.nix:72 is marked as insecure, refusing to evaluate.
Known issues:
- CVE-2021-33367
- CVE-2021-40262
- CVE-2021-40263
- CVE-2021-40264
- CVE-2021-40265
- CVE-2021-40266
- CVE-2023-47992
- CVE-2023-47993
- CVE-2023-47994
- CVE-2023-47995
- CVE-2023-47996
FreeImage is used by Chafa to display the covers in the terminal.
The version of kew packaged for Nix is very old: v1.5.2. We're at version 2.8.2. So it's more than a year old, from very early on in the project.
"Buffer Overflow vulnerability in Freeimage v3.18.0 allows attacker to cause a denial of service via a crafted JXR file."
I don't know how relevant these vulnerabilities are to kew, which isn't run across the network in any way, it just reads your local files.
Thank you for bringing this to light. I don't know how feasible it is to use something other than freeimage though, gonna have to investigate.
It is still relevant because sometimes those local files come from the network and aren't trusted.
Looks like a nice project, I like the terminal album art display :).