search

ApeironTsuka / node-webpmux

A mostly 1:1 re-implementation of webpmux as a Node module in pure Javascript. Only thing currently missing is a command-line version.
GNU Lesser General Public License v3.0
21 stars 8 forks source link

What version of libwebp is included? #23

Closed AZUSAHMR closed 11 months ago

AZUSAHMR commented 11 months ago

Recently, there was a serious buffer overflow vulnerability in libwebp, which is said to have been resolved in version 1.3.2. I wonder if this package is safe from vulnerabilities. If it contains a vulnerable version of libwebp, could you please provide a resolved version of the package? Thank you for always.

Related Links https://nvd.nist.gov/vuln/detail/CVE-2023-4863 https://nvd.nist.gov/vuln/detail/CVE-2023-41064 https://github.com/lovell/sharp/issues/3798 https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html

ApeironTsuka commented 11 months ago

Thanks for bringing this to my attention. The internal libwebp is a minimal build that only has the functions used for encoding/decoding image data, so it was probably vulnerable. I've updated to the latest commit, rebuilt, and have pushed as a new version 3.1.9.