Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update SkiaSharp to the latest stable version (2.88.6) #17558

Merged
merged 1 commit into from
Sep 25, 2023
Merged

Update SkiaSharp to the latest stable version (2.88.6) #17558

merged 1 commit into from
Sep 25, 2023

Conversation

mattleibow
Copy link
Member

Description of Change

Time to get new things!

@mattleibow mattleibow requested a review from a team as a code owner September 21, 2023 18:57
This was referenced Sep 21, 2023
Closed
Closed
@Eilon Eilon added the area-infrastructure CI, Maestro / Coherency, upstream dependencies/versions label Sep 21, 2023
@brminnick
Copy link
Contributor

Thanks @mattleibow! Any estimation for when this PR will be released?

As I'm sure you're aware, a security vulnerability was reported on SkiaSharp this weekend. The good news is that the vulnerability is patched in SkiaSharp v2.88.6, the version this PR updates to for .NET MAUI, so the next MAUI release that includes this PR resolves this security vulnerability for .NET MAUI devs!

There's many libraries that use Microsoft.Maui.Graphics.Skia, and the latest stable version of Microsoft.Maui.Graphics.Skia currently uses SkiaSharp v2.88.2 (includes security vulnerability), and the latest preview version of Microsoft.Maui.Graphics.Skia currently uses SkiaSharp v2.88.4-preview.82 (also includes security vulnerability).

The biggest headache I've discovered so far is that tizen-net7.0 library has a transitive dependency to SkiaSharp via net7.0-tizen -> Tizen.UIExtensions.NUI -> Microsoft.Maui.Graphics.Skia -> SkiaSharp. @JoonghyunCho on the Tizen team is aware of it and will be working with his team to bump Tizen.UIExtensions.NUI's dependency to Microsoft.Maui.Graphics.Skia once the new version of Microsoft.Maui.Graphics.Skia containing this PR has been released.

The good news is that we've patched it in CommunityToolkit.Maui by adding a direct dependency to SkiaSharp v2.88.6 for our Tizen builds, and we will be releasing CommunityToolkit.Maui v6.0.0 this week. So any dev who updates to CommunityToolkit.Maui v6.0.0 will by default be using the latest version of SkiaSharp on Tizen, alleviating any potential security vulnerabilities for them. I've also created an Issue to remind us to remove this direct dependency to SkiaSharp once the new version of Microsoft.Maui.Graphics.Skia is released.

tl;dr There's security vulnerability in SkiaSharp, patched in SkiaSharp v2.88.6, and Microsoft.Maui.Graphics.Skia is the long-tail that needs to be patched (done) + released (pending) first before other libraries can fix their transitive vulnerabilities.

@jsuarezruiz
Copy link
Contributor

/azp run

@azure-pipelines
Copy link

Azure Pipelines successfully started running 3 pipeline(s).

@mattleibow mattleibow changed the title Update SkiaSharp to the latest stable version Update SkiaSharp to the latest stable version (2.88.6) Sep 25, 2023
@rmarinho rmarinho merged commit b1ebcc4 into main Sep 25, 2023
47 checks passed
@rmarinho rmarinho deleted the dev/skiasharp branch September 25, 2023 12:07
@mattleibow
Copy link
Member Author

/backport to net7.0

@github-actions
Copy link
Contributor

Started backporting to net7.0: https://github.com/dotnet/maui/actions/runs/6302042011

@github-actions
Copy link
Contributor

@mattleibow backporting to net7.0 failed, the patch most likely resulted in conflicts:

$ git am --3way --ignore-whitespace --keep-non-patch changes.patch

Applying: Update SkiaSharp to 2.88.6
.git/rebase-apply/patch:225: trailing whitespace.
			// native library loading logic for the .NET Framework (Visual Studio). 
warning: 1 line adds whitespace errors.
Using index info to reconstruct a base tree...
M	eng/Microsoft.Extensions.targets
M	eng/Versions.props
M	src/Graphics/samples/GraphicsTester.Skia.Mac/GraphicsTester.Skia.Mac.csproj
M	src/SingleProject/Resizetizer/src/ResizetizerPackages.projitems
M	src/SingleProject/Resizetizer/test/UnitTests/Resizetizer.UnitTests.csproj
Falling back to patching base and 3-way merge...
Auto-merging src/SingleProject/Resizetizer/test/UnitTests/Resizetizer.UnitTests.csproj
CONFLICT (content): Merge conflict in src/SingleProject/Resizetizer/test/UnitTests/Resizetizer.UnitTests.csproj
Auto-merging src/SingleProject/Resizetizer/src/ResizetizerPackages.projitems
CONFLICT (content): Merge conflict in src/SingleProject/Resizetizer/src/ResizetizerPackages.projitems
Auto-merging src/Graphics/samples/GraphicsTester.Skia.Mac/GraphicsTester.Skia.Mac.csproj
Auto-merging eng/Versions.props
Auto-merging eng/Microsoft.Extensions.targets
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Update SkiaSharp to 2.88.6
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
Error: The process '/usr/bin/git' failed with exit code 128

Please backport manually!

@github-actions
Copy link
Contributor

@mattleibow an error occurred while backporting to net7.0, please check the run log for details!

Error: git am failed, most likely due to a merge conflict.

@mattleibow mattleibow mentioned this pull request Sep 26, 2023
Merged
@mattleibow
Copy link
Member Author

Backport in #17663

@mattleibow mattleibow added backport/suggested The PR author or issue review has suggested that the change should be backported. backport/approved After some discussion or review, this PR or change was approved to be backported. labels Sep 26, 2023
@JoonghyunCho JoonghyunCho mentioned this pull request Oct 11, 2023
Merged
@github-actions github-actions bot locked and limited conversation to collaborators Dec 5, 2023
@samhouts samhouts added the fixed-in-8.0.0-rc.2.9373 Look for this fix in 8.0.0-rc.2.9373! label Aug 2, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@rmarinho rmarinho rmarinho approved these changes

@jsuarezruiz jsuarezruiz Awaiting requested review from jsuarezruiz jsuarezruiz is a code owner automatically assigned from dotnet/dotnet-maui-reviewers

@rachelkang rachelkang Awaiting requested review from rachelkang rachelkang is a code owner automatically assigned from dotnet/dotnet-maui-reviewers

Assignees
No one assigned
Labels
area-infrastructure CI, Maestro / Coherency, upstream dependencies/versions backport/approved After some discussion or review, this PR or change was approved to be backported. backport/suggested The PR author or issue review has suggested that the change should be backported. fixed-in-8.0.0-rc.2.9373 Look for this fix in 8.0.0-rc.2.9373!
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@mattleibow @brminnick @jsuarezruiz @rmarinho @Eilon @samhouts