CVE-2023-4863 impacting libwebp 1.0.2

chai2010 / webp

WebP decoder and encoder for Go (Zero Dependencies).

http://godoc.org/github.com/chai2010/webp

BSD 3-Clause "New" or "Revised" License

512 stars 89 forks source link

CVE-2023-4863 impacting libwebp 1.0.2 #61

Open delroth opened 10 months ago

delroth commented 10 months ago

Hi!

This Go library vendors libwebp 1.0.2, which is vulnerable to CVE-2023-4863 (critical severity buffer overflow in libwebp image decoding). Upstream has a 1.0.3 available with the vulnerability fixed: https://github.com/webmproject/libwebp/tree/1.0.3

Could you please update the vendored libwebp and tag a new release of this library so dependents can get updated?

Thank you!

nikooo777 commented 3 months ago

please @chai2010 can you push this change?

trunov commented 2 months ago

@chai2010 hey, please update the package.

nikooo777 commented 2 months ago

nice, that happened! this can finally be closed now