Dear Sketchup experts,
I am writing to report some security vulnerabilities that I have identified in the Sketchup libraries. It is crucial to address these issues promptly to ensure the security of users and maintain the integrity of your product.
I would like to share the details of the vulnerabilities with you for further investigation and resolution. We use Black Duck, a software composition analysis (SCA) tool, to identify and manage open-source components and potential security vulnerabilities in our codebase. We perform regular Black Duck Security Scans to proactively manage and mitigate security risks associated with the use of open-source libraries. Black Duck reported some known security vulnerabilities from the library SketchUpAPI.dll with release 2024.0.2.
-
libTIFF - 4.6.0 - Fixed in [v4.7.0rc1]
- BDSA-2023-3641
- BDSA-2023-3640
- BDSA-2023-3286
- BDSA-2023-3488
- BDSA-2024-5272(CVE-2024-7006)
-
libjpeg - turbo3.03
- BDSA-2016-0305
I would appreciate it if you could provide an estimated timeline for when a fix or mitigation plan might be implemented.
Thank you for your prompt attention to this critical issue. I look forward to working together to enhance the security of your product.
Best,