fix: update image-decoding deps to patch jxl-grid & webp CVEs#12
Merged
Conversation
…id and webp Fixes RUSTSEC-2026-0151 (OOB write decoding crafted JPEG XL images, reachable via embedded cover art) and RUSTSEC-2024-0443 (OOB read in webp encoder). Bumps zune-image off its RC pin to the stable 0.5.0 release, which requires jxl-oxide ^0.12.5 (resolves to 0.12.6, which requires the patched jxl-grid ^0.6.2). rimage/webp resolves to 0.3.1+ under its existing ^0.3 constraint. Note: generated by Claude (Anthropic AI assistant) at the repo owner's request, working from a security review of this repo. See PR description for the AI usage disclaimer and verification notes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
AI Usage Disclaimer
This PR was prepared by Claude (Anthropic's AI assistant), at the repo owner's (@Enn3Developer) request, working in an agentic chat session. The owner asked me to audit the repo for security issues and, after review, authorized me to push this specific fix and open this PR using a scoped personal access token. I'm disclosing this so reviewers/contributors know an AI produced the diff and this description — please review it with that in mind, same as you would any external contribution.
What this fixes
Two RustSec advisories reachable through this app's actual attack surface (audio files with embedded cover art, opened by the user):
jxl-grid< 0.6.2 has an integer-overflow out-of-bounds write when decoding a crafted JPEG XL image (potential memory corruption / code execution, worse on 32-bit targets). Reachable viazune-image→jxl-oxide→jxl-grid, which is exactly the pathget_image_squared()inn_player/src/lib.rsuses to decode cover art extracted from track tags.webp0.3.0 doesn't validate the input buffer size when encoding, causing an out-of-bounds read (memory exposure / possible crash). Pulled in viarimage'swebpfeature.Change
Bumped
zune-image/zune-core/zune-imageprocsinn_player/Cargo.tomloff their long-stale release-candidate pins (0.5.0-rc0/0.5.0-rc2) to the now-stable0.5.xreleases. That change alone is what pulls in the fix:zune-image 0.5.0requiresjxl-oxide ^0.12.5, which resolves to0.12.6, which requiresjxl-grid ^0.6.2(patched).rimage's existingwebp ^0.3constraint resolves to0.3.1(patched) onceCargo.lockis regenerated.Verification performed
I don't have push/CI access from my sandbox and its Rust toolchain (1.75) is too old to build this workspace at all (unrelated —
rand 0.10already needs edition2024 / Rust 1.85+ transitively). So I could not run a fullcargo buildhere. What I did verify:cargo generate-lockfileagainst the live crates.io index with the updatedCargo.toml— resolves cleanly withjxl-grid 0.6.2,jxl-oxide 0.12.6,webp 0.3.1,zune-image 0.5.0,zune-core 0.5.1,zune-imageprocs 0.5.1,rimage 0.12.3. No dependency conflicts.Image::read,DecoderOptions::new_fast,convert_color,zune_imageprocs::crop::Crop::new,rimage::operations::resize::Resize::new,rimage::codecs::webp::WebPDecoder::try_new/decode) against the new crate sources — all unchanged.This PR still needs
Cargo.lockregenerated and a realcargo check --workspace/cargo buildrun on CI or your machine before merging. Suggested command:Other findings from the review (not included here)
A few lower-priority/harder-to-automate items came up during the audit that aren't part of this PR: several
.unwrap()s on cover-art decode/resize operations that could panic on a malformed (not necessarily malicious) embedded image, azstddecompression call insettings.rswith no output-size cap, and theunsafe impl Send/Sync for TrackDatainlib.rsworth a second look for actual cross-thread mutation. Happy to open follow-up PRs for any of these if wanted.