search

RigsOfRods / rigs-of-rods

Main development repository for Rigs of Rods soft-body physics simulator
https://www.rigsofrods.org
GNU General Public License v3.0
1.01k stars 177 forks source link

New release against CVE-2023-5129? #3088

Closed wegank closed 11 months ago

wegank commented 1 year ago

The latest Linux release of Rigs of Rods is considered vulnerable to CVE-2023-5129. Specifically, the following files are suspected to contain a libwebp variant:

lib/Codec_FreeImage.so
lib/Codec_FreeImage.so.1.11.6
lib/libwebp.so.6
lib/libwebp.so.6.0.2

It would be good to know if there will soon be a new release (e.g. 2022.12.1) to fix the vulnerability.

Steps to reproduce

  1. Download from https://rigs-of-rods.itch.io/rigs-of-rods.
  2. Extract.
  3. Check if the files above are updated.

Expected behaviour

Yes.

Actual behaviour

No.

System configuration

Additional information, logs and screenshots (optional)

ohlidalp commented 1 year ago

Hello.

We're planning a feature release this November/December which should also cover this issue.

Codec_FreeImage.so is part of OGRE renderer (www.ogre3d.org) which we build ourselves, we should be able to update it's dependencies. @AnotherFoxGuy knows the specifics of the build process.

CuriousMike56 commented 1 year ago

Is libwebp required for Conan? It's only referenced here https://github.com/RigsOfRods/rigs-of-rods/blob/91f99be92acd333dff9f6cfd491d4f1c10e2d5d8/conanfile.py#L27

AnotherFoxGuy commented 1 year ago

I've updated libwebp in PR #3037

Is libwebp required for Conan?

It is a dependency of FreeImage, which we use to decode/load images