[sigmonsays]

Trying to nix run it I get a ton of insecure warnings and it lists the CVEs

Is this a nix thing (i'm unsure what freeimage-unstable is)

       error: Package ‘freeimage-unstable-2021-11-01’ in /nix/store/20yis5w6g397plssim663hqxdiiah2wr-source/pkgs/development/libraries/freeimage/default.nix:72 is marked as insecure, refusing to evaluate.


       Known issues:
        - CVE-2021-33367
        - CVE-2021-40262
        - CVE-2021-40263
        - CVE-2021-40264
        - CVE-2021-40265
        - CVE-2021-40266
        - CVE-2023-47992
        - CVE-2023-47993
        - CVE-2023-47994
        - CVE-2023-47995
        - CVE-2023-47996

[ravachol]

FreeImage is used by Chafa to display the covers in the terminal.

The version of kew packaged for Nix is very old: v1.5.2. We're at version 2.8.2. So it's more than a year old, from very early on in the project.

[ravachol]

"Buffer Overflow vulnerability in Freeimage v3.18.0 allows attacker to cause a denial of service via a crafted JXR file."

I don't know how relevant these vulnerabilities are to kew, which isn't run across the network in any way, it just reads your local files.

Thank you for bringing this to light. I don't know how feasible it is to use something other than freeimage though, gonna have to investigate.

[joveian]

It is still relevant because sometimes those local files come from the network and aren't trusted.

Looks like a nice project, I like the terminal album art display :).