Patch System.Drawing.Common:4.7.2 - CVE-2021-24112

[carlbennett]

This request resolves the .NET Core Remote Code Execution Vulnerability below by upgrading dependency System.Drawing.Common from 4.7.0 to 4.7.2.

src/MBNCSUtil.csproj : warning NU1904: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, GHSA-rxg9-xrhp-64gj

[carlbennett]

CI passed.

I looked in the code, it seems System.Drawing is used by:

• src/Data/Blp1Parser.cs
• src/Data/Blp2Parser.cs
• src/Data/BniFileParser.cs
• src/Data/BniIcon.cs
• src/Data/ImageParser.cs

[carlbennett]

Review: System.Drawing.Common 4.7.0 → 4.7.2

The upgrade is safe. 4.7.1 and 4.7.2 are security-only patches for CVE-2021-24112 — no API removals, signature changes, or behavioral differences. Existing code will compile and run identically.

Two things worth noting:

1. The NuGet version is mostly cosmetic on net10.0

The project targets net10.0. On .NET 6+, System.Drawing.Common is an inbox assembly — the NuGet package provides resolution stubs, but the actual runtime implementation is whatever ships with .NET 10, not the 4.7.x package. The version bump primarily satisfies dependency scanners (dotnet list package --vulnerable, Dependabot), not the runtime.

2. Pre-existing cross-platform issue (not caused by this PR)

System.Drawing.Common became Windows-only on .NET 6+, and the EnableUnixSupport escape hatch was removed in .NET 7. On net10.0, any code path reaching System.Drawing types (BniFileParser, BniIcon, Blp1Parser, Blp2Parser, ImageParser) will throw PlatformNotSupportedException on Linux/macOS. This predates this PR and is worth tracking as a separate issue — the likely fix is replacing System.Drawing.Common with a cross-platform alternative like ImageSharp or SkiaSharp.

---

✅ Safe to merge as a security patch.