|
 Vulnerability Fix Request: ChartDirector v7.0 (C++ Win64) - Critical Vulnerabilities in libpng/zlib |
| Posted by Scott Zhang on May-11-2026 16:24 |
|
Hello,
We are currently using ChartDirector v7.0 (C++ Win64 version) in our product.
During a recent security scan, several critical vulnerabilities were identified within the third-party libraries bundled with the product, specifically in libpng, zlib, and freetype. Our company policy requires these vulnerabilities to be remediated immediately.
Could you please let us know if there is an updated version or a patch for ChartDirector v7.0 that addresses these issues? If not, do you recommend upgrading to a newer version (e.g., v8.0) to resolve them?
Vulnerability List:
libpng: CVE-2016-9841, CVE-2016-9843, CVE-2023-45853;CVE-2025-64720;CVE-2025-65018;CVE-2025-66293;CVE-2026-22801;CVE-2026-25646;CVE-2026-33416;CVE-2026-33636
zlib: CVE-2016-9840;CVE-2016-9842;CVE-2018-25032;CVE-2022-37434|RASA-2022-43763;CVE-2026-22184
Looking forward to your prompt response.
Best regards. |
| Re: Vulnerability Fix Request: ChartDirector v7.0 (C++ Win64) - Critical Vulnerabilities in libpng/zlib |
| Posted by Peter Kwan on May-12-2026 15:47 |
|
Hi Scott,
The latest released version of ChartDirector for C++ is 7.2 release on 2026-02-21. If you are using on older version, you may download again to get the latest version.
We also have an internal version dated 2026-04-16. Please email me pkwan@advsofteng.net if you want to try it.
Note that your scanner does not detect any vulnerability. It only detects the open source library version, and then search the CCVE database for the vulnerability records. It does not mean the records are relevant to the final DLL.
For example, CVE-2026-22184 refers to a vulnerability in the "untgz utility" included in zlib. ChartDirector does not use "untgz" and it is not included in ChartDirector. This proves that the scanner only list out the records from the database, but does not actually detect any vulnerable code. It is unlike a virus scanner that actually detects the virus code.
ChartDirector only uses common and well-proven open source libraries. These libraries tend to have a lot of functions, but most projects only uses a few functions. The vulnerability usually occur in some rarely used functions or using the functions in some very specific way (otherwise it would have been detected long time ago).
ChartDirector only has an API and all data are provided by your code through the API. It is assume your code will validate any user input before using them, so it is hard for the user to attack ChartDirector directly. So far we are aware of any actual vulnerability in ChartDirector.
In practice, a new vulnerability can occur quite frequently on the CCVE database (more than once per month), so we cannot have stable software if we need to modify the software satisfy the scanner every time. We will only update our software when there is an actual vulnerability in the ChartDirector.
Having say that, we notice more and more of our customers are using similar scanners, and their company requires them to provide a "clean bill of health" (no vulnerability report). For this reason, for customers with upgrade and software subscription, we can custom compile a version of ChartDirector using the latest library version or the library version of their choice, twice a year. Such a library will be "fresh" and should not have any vulnerability known in the database (assuming the open source library developers have already fixed all the known vulunerabilities).
Please contact support@advsofteng.net with your license key and subscription key (if any) if you need a custom compile with the latest libraries.
Best Regards
Peter Kwan |
| Re: Vulnerability Fix Request: ChartDirector v7.0 (C++ Win64) - Critical Vulnerabilities in libpng/zlib |
| Posted by Scott Zhang on May-12-2026 20:31 |
|
Hi Perter,
Thank you for your prompt response.I have organized the fixed versions of the dependency libraries and sent them to the designated email address. I look forward to hearing from you soon.
Best regards,
Scott Zhang |
|
Forum Home
Search
Message List
Post Message