Update vulnerable libwebp library to 1.3.2

Telegram-FOSS-Team / Telegram-FOSS

Unofficial, FOSS-friendly fork of the original Telegram client for Android

GNU General Public License v2.0

2.95k stars 376 forks source link

Update vulnerable libwebp library to 1.3.2 #700

Closed nktknshn closed 1 year ago

nktknshn commented 1 year ago

Telegram uses webp for stickers and a plain webp image can also be sent. Telegram FOSS currently uses libwebp 1.2.0 version of the library (it seems the official android Telegram client is still using 0.5 version

Versions of webmproject/libwebp from 0.5.0 up to and including 1.3.1 are affected

Source

DaleBCooper commented 1 year ago

There is another 0day in libvpx. Yesterday they released v1.13.1 which fixes CVE-2023-5217. According to google only the encoding is affected which makes it harder to exploit this vulnerability. Nevertheless a rebuild with the new version should be considered.

DaleBCooper commented 1 year ago

F-Droid released a new build today.

obfusk commented 1 year ago

F-Droid patched libwebp in the Telegram FOSS build to include the CVE-2023-4863 fix. But it should also be fixed here.