Security Vulnerability in Sketchup libraries

Dear Sketchup experts,

I am writing to report some security vulnerabilities that I have identified in the Sketchup libraries. It is crucial to address these issues promptly to ensure the security of users and maintain the integrity of your product.

I would like to share the details of the vulnerabilities with you for further investigation and resolution. We use Black Duck, a software composition analysis (SCA) tool, to identify and manage open-source components and potential security vulnerabilities in our codebase. We perform regular Black Duck Security Scans to proactively manage and mitigate security risks associated with the use of open-source libraries. Black Duck reported some known security vulnerabilities from the library SketchUpAPI.dll with release 2024.0.2.

  • libTIFF - 4.6.0 - Fixed in [v4.7.0rc1]

    • BDSA-2023-3641
    • BDSA-2023-3640
    • BDSA-2023-3286
    • BDSA-2023-3488
    • BDSA-2024-5272(CVE-2024-7006)
  • libjpeg - turbo3.03

    • BDSA-2016-0305

I would appreciate it if you could provide an estimated timeline for when a fix or mitigation plan might be implemented.

Thank you for your prompt attention to this critical issue. I look forward to working together to enhance the security of your product.

Best,

Just so you know, this is a user forum not an official message channel to the SketchUp development team.