Security Issue in Webptools latest

706 views
Skip to first unread message

Sebastian C.

unread,
Oct 19, 2023, 5:01:47 AM10/19/23
to webp-d...@webmproject.org
Hello, how are you?


I found that Webptools on PyPI uses libwebp version 1.1.0

A 0-day exploited-in-the-wild vulnerability on Chrome browser was disclosed some weeks ago. But it was a bit worse than that. The original vulnerability was on the underlying library libwebp, which provides encoding and decoding of images in WebP format. Specifically, it is a heap buffer overflow issue within the Huffman coding algorithm used for lossless compression in WebP.
That means: by crafting malicious WebP images and getting victims to open them, attackers could leverage this bug to execute arbitrary code and access sensitive user data. A RCE.
This was assigned CVE-2023-4863. The vulnerability has CRITICAL severity and has been reported to be actively exploited in the wild. You may read more about it here: https://www.rezilion.com/blog/rezilion-researchers-uncover-new-details-on-severity-of-google-chrome-zero-day-vulnerability-cve-2023-4863

Long story short, versions of libwep before 1.3.2 are vulnerable, and Webptools may be exposing users through its functionality.

Please confirm and let me know if I can be of help in the patching process
Sebastian Chnelik

Vincent Rabaud

unread,
Oct 19, 2023, 5:49:51 AM10/19/23
to webp-d...@webmproject.org
Hi,

all affected branches (from 0.5 to 1.3) have been patched. Even the 1.1.0 one: https://chromium.googlesource.com/webm/libwebp/+/refs/heads/1.1.0
Bumping to the latest version is ideal though as it has a few improvements (performance or compilation).


--
You received this message because you are subscribed to the Google Groups "WebP Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to webp-discuss...@webmproject.org.
To view this discussion on the web visit https://groups.google.com/a/webmproject.org/d/msgid/webp-discuss/CABMp7rSvz5OW9_7Ey9LdBD_dGCeLVUfscWep3hPpzOdyKYrHQw%40mail.gmail.com.

James Zern

unread,
Oct 19, 2023, 2:01:19 PM10/19/23
to webp-d...@webmproject.org
On Thu, Oct 19, 2023 at 2:49 AM 'Vincent Rabaud' via WebP Discussion <webp-d...@webmproject.org> wrote:
Hi,

all affected branches (from 0.5 to 1.3) have been patched. Even the 1.1.0 one: https://chromium.googlesource.com/webm/libwebp/+/refs/heads/1.1.0
Bumping to the latest version is ideal though as it has a few improvements (performance or compilation).


On Thu, Oct 19, 2023 at 11:01 AM Sebastian C. <seba...@safetycli.com> wrote:
Hello, how are you?


I found that Webptools on PyPI uses libwebp version 1.1.0

Note this project doesn't maintain the package. It would be good to file an issue in their tracker:
 

A 0-day exploited-in-the-wild vulnerability on Chrome browser was disclosed some weeks ago. But it was a bit worse than that. The original vulnerability was on the underlying library libwebp, which provides encoding and decoding of images in WebP format. Specifically, it is a heap buffer overflow issue within the Huffman coding algorithm used for lossless compression in WebP.
That means: by crafting malicious WebP images and getting victims to open them, attackers could leverage this bug to execute arbitrary code and access sensitive user data. A RCE.
This was assigned CVE-2023-4863. The vulnerability has CRITICAL severity and has been reported to be actively exploited in the wild. You may read more about it here: https://www.rezilion.com/blog/rezilion-researchers-uncover-new-details-on-severity-of-google-chrome-zero-day-vulnerability-cve-2023-4863

Long story short, versions of libwep before 1.3.2 are vulnerable, and Webptools may be exposing users through its functionality.

Please confirm and let me know if I can be of help in the patching process
Sebastian Chnelik

--
You received this message because you are subscribed to the Google Groups "WebP Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to webp-discuss...@webmproject.org.
To view this discussion on the web visit https://groups.google.com/a/webmproject.org/d/msgid/webp-discuss/CABMp7rSvz5OW9_7Ey9LdBD_dGCeLVUfscWep3hPpzOdyKYrHQw%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "WebP Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to webp-discuss...@webmproject.org.
Reply all
Reply to author
Forward
0 new messages