webp security issue

Question

webp security issue

Closed this issue 10 months ago · 4 comments

Is this fork also effected of the current webp issue? what library does the fork use for webp?

https://blog.isosceles.com/the-webp-0day/
https://nvd.nist.gov/vuln/detail/CVE-2023-4863

Answer 1 · 2023-10-01T23:47:15.000Z

Yes the current version is probably affected by the CVE. It's been updated on the current development head but a new version hasn't been pushed out. I expect to get a version out this week.

Answer 2 · 2023-10-02T21:24:19.000Z

Is this fork also effected of the current webp issue?

Yes

what library does the fork use for webp?

libwebp

See #237

Answer 3 · 2023-10-05T18:40:05.000Z

@sylikc Why is there no release yet with the fix?

Answer 4 · 2023-10-05T18:51:12.000Z

Working on it. It's because there's a whole lotta changes on the Dev that I'm testing... and it's sort of all coming at once. 😞

Pushing out just the CVE fix wouldn't do justice to all the work translators and qbnu has put in for this upcoming release

Luckily, after reading the blog post you attached, a crash in jpegview wouldn't cause a privilege escalation. 😎