--
You received this message because you are subscribed to the Google Groups "WebP Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to webp-discuss...@webmproject.org.
To view this discussion on the web visit https://groups.google.com/a/webmproject.org/d/msgid/webp-discuss/CABMp7rSvz5OW9_7Ey9LdBD_dGCeLVUfscWep3hPpzOdyKYrHQw%40mail.gmail.com.
Hi,
all affected branches (from 0.5 to 1.3) have been patched. Even the 1.1.0 one: https://chromium.googlesource.com/webm/libwebp/+/refs/heads/1.1.0Bumping to the latest version is ideal though as it has a few improvements (performance or compilation).On Thu, Oct 19, 2023 at 11:01 AM Sebastian C. <seba...@safetycli.com> wrote:I found that Webptools on PyPI uses libwebp version 1.1.0Hello, how are you?
----Sebastian ChnelikPlease confirm and let me know if I can be of help in the patching processLong story short, versions of libwep before 1.3.2 are vulnerable, and Webptools may be exposing users through its functionality.
A 0-day exploited-in-the-wild vulnerability on Chrome browser was disclosed some weeks ago. But it was a bit worse than that. The original vulnerability was on the underlying library libwebp, which provides encoding and decoding of images in WebP format. Specifically, it is a heap buffer overflow issue within the Huffman coding algorithm used for lossless compression in WebP.
That means: by crafting malicious WebP images and getting victims to open them, attackers could leverage this bug to execute arbitrary code and access sensitive user data. A RCE.This was assigned CVE-2023-4863. The vulnerability has CRITICAL severity and has been reported to be actively exploited in the wild. You may read more about it here: https://www.rezilion.com/blog/rezilion-researchers-uncover-new-details-on-severity-of-google-chrome-zero-day-vulnerability-cve-2023-4863
You received this message because you are subscribed to the Google Groups "WebP Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to webp-discuss...@webmproject.org.
To view this discussion on the web visit https://groups.google.com/a/webmproject.org/d/msgid/webp-discuss/CABMp7rSvz5OW9_7Ey9LdBD_dGCeLVUfscWep3hPpzOdyKYrHQw%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "WebP Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to webp-discuss...@webmproject.org.
To view this discussion on the web visit https://groups.google.com/a/webmproject.org/d/msgid/webp-discuss/CAJMnc16nrrH5Gthso6dLitPouJjhsBAZdKdaSc4t6y45%2BBpvvw%40mail.gmail.com.