CVE-2023-4863: emerg update due to webp vulnerability

SchildiChat / schildichat-desktop

Matrix client / Element Web/Desktop fork

https://schildi.chat

Apache License 2.0

370 stars 42 forks source link

CVE-2023-4863: emerg update due to webp vulnerability #212

Closed Cyborgscode closed 4 months ago

Cyborgscode commented 9 months ago

all major browser- and electronbased apps need an update due to a bug in the libwebp-library.

Chromium and Electron have already supplied patches.

There is no CVE available for this.

When you are on it, the not working first-call - issue is a real bugger in real life.

Cyborgscode commented 9 months ago

The shortcoming, assigned the identifier CVE-2023-4863, is a heap buffer overflow flaw in the WebP image format that could result in arbitrary code execution when processing a specially crafted image.

Cyborgscode commented 9 months ago

URL : http://webmproject.org/ Summary : Library and tools for the WebP graphics format Description : WebP is an image format that does lossy compression of digital photographic images. WebP consists of a codec based on VP8, and a container based on RIFF. Webmasters, web developers and browser developers can use WebP to compress, archive and distribute digital images more efficiently.

Update Information:

Backport fix for CVE-2023-5129.

ChangeLog:

Thu Sep 28 2023 Sandro Mani manisandro@gmail.com - 1.3.2-2
Backport upstream fix for CVE-2023-5129

Cyborgscode commented 9 months ago

there is more than one bug to fix here.

github-actions[bot] commented 4 months ago

This issue is stale because it has been open 150 days with no activity. Remove stale label or comment or this will be closed in 14 days.

su-ex commented 4 months ago

Fixed through backported electron security fixes.