Update libwebp

Question

Update libwebp

svenclaesson opened this issue a year ago · 4 comments

svenclaesson commented a year ago

libwebp needs an upgrade because of critical vulnerability CVE-2023-4863

Answer 1 · 2023-09-18T21:03:29.000Z

Merged to vcpkg today

Answer 2 · 2023-09-19T16:41:19.000Z

Thanks for the heads-up!

Answer 3 · 2023-09-28T02:23:50.000Z

Very strange... The original CVE was for Chrome, then Google created a new CVE for libwebp a couple of days ago, which was rejected as a dupe of the earlier one.

In any case, I have pushed an update in f244b74, and new binaries are available in the CI feed. Google's binaries will also work with the MagicScaler plugin if you want to update from their builds.

I'll be publishing a complete new set of packages to NuGet once I get one last MagicScaler bug sorted out, hopefully next week.

Answer 4 · 2023-10-01T12:35:38.000Z

Yes, there is a lot of confusion around it. See https://adamcaudill.com/2023/09/14/whose-cve-is-it-anyway/

The original CVE is now updated

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.