Check vulnerability due to `libwebp`, `libvpx`, Chromium, and Electron

[Martin Hepp]

Dear all:

First, my apologies and a disclaimer that I do not fully understand the architecture of Zotero. But given the high relevance and potential impact, I kindly wanted to ask if Zotero is affected by CVE-2023-4863 and CVE-2023-5217, for more details see here:

https://github.com/VSCodium/vscodium/issues/1667

Basically, any application that is based on Electron or Chromium or includes internal copies of `libwebp` or `libvpx` is at risk.

Thanks!

Best wishes

Martin

[Dan Stillman]

Zotero isn't based on Electron or Chromium and doesn't include those libraries.

[Dan Stillman]

On 9/29/23 4:07 PM, Dan Stillman wrote:
> Zotero isn't based on Electron or Chromium and doesn't include those
> libraries.

Actually, this applies to Zotero 6.

It looks like the Zotero 7 beta is affected due to WebP support. We'll
push an update today (7.0.0-beta.43) that includes the fix.

Thanks,

Dan

[Imran H]

I believe Zotero 6 is affected by the libvpx vulnerability, since it is based on Firefox, which was also affected. Mozilla have released security fixes for the most recent ESR version here, but they won't go as far back as Firefox 60, which Zotero 6 appears to be based on (from running Services.appinfo.platformVersion in the console).

[Dan Stillman]

On 10/31/23 10:18 PM, Imran H wrote:

I believe Zotero 6 is affected by the libvpx vulnerability, since it is based on Firefox, which was also affected. Mozilla have released security fixes for the most recent ESR version here, but they won't go as far back as Firefox 60, which Zotero 6 appears to be based on (from running Services.appinfo.platformVersion in the console).

Thanks for pointing this out. Zotero mostly avoids using an actual browser, so its attack surface for things like this is pretty small and improbable, but we've gone ahead and released 6.0.30 and a new Zotero 7 beta with libvpx disabled and some additional content-security restrictions in generated reports.