This Go library vendors libwebp 1.0.2, which is vulnerable to CVE-2023-4863 (critical severity buffer overflow in libwebp image decoding). Upstream has a 1.0.3 available with the vulnerability fixed: https://github.com/webmproject/libwebp/tree/1.0.3
Could you please update the vendored libwebp and tag a new release of this library so dependents can get updated?
Hi!
This Go library vendors libwebp 1.0.2, which is vulnerable to CVE-2023-4863 (critical severity buffer overflow in libwebp image decoding). Upstream has a 1.0.3 available with the vulnerability fixed: https://github.com/webmproject/libwebp/tree/1.0.3
Could you please update the vendored libwebp and tag a new release of this library so dependents can get updated?
Thank you!