refi64
commented
1 year ago Afaik all Chromium derivatives, including Electron, will be default statically link libwebp. Thus, it's on the applications to update their Electron to one with the fixed libwebp; the base app doesn't control that
AdamWill
Hi, folks. I may be missing something, but...this doesn't seem to be formally raised anywhere yet (someone else had this thought an hour ago on hackernews, but that's all I can find), and it seems rather important.
Is it the case that this runtime, and consequently all runtimes based on it - including a lot of widely used ones, like com.slack.Slack , com.discordapp.Discord and im.riot.Riot - is vulnerable to CVE-2023-4863 , the libwebp 0-day recently disclosed for Chromium and Firefox? If so, is there a plan to address it?
For now I have removed all flatpaks I had installed that are based on this runtime.