search

imazen / imageflow

High-performance image manipulation for web servers. Includes imageflow_server, imageflow_tool, and libimageflow
https://docs.imageflow.io/
GNU Affero General Public License v3.0
4.14k stars 140 forks source link

Investigate libwebp CVE-2023-1999 #638

Closed bes-internal closed 9 months ago

bes-internal commented 9 months ago

need to update libwebp-sys dependency to version >=0.9.1

ref: https://github.com/NoXF/libwebp-sys/issues/18 ref: https://www.cve.org/CVERecord?id=CVE-2023-1999

lilith commented 9 months ago

Will do. It's not immediately clear if this affects decoding, however, which would be the only attack path (Imageflow only allows lossless/quality configuration of webp encoding).

bes-internal commented 9 months ago

I apologize and probably didn't figure out the correct cve number myself. Most likely I wanted to give this https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863 https://blog.isosceles.com/the-webp-0day/

lilith commented 9 months ago

Thank you. I've patched it, and also updated every other dependency in the project due to some interlocking restrictions.

https://github.com/imazen/imageflow/security/advisories/GHSA-7vpr-3ppw-qrpj

lilith commented 9 months ago

I'm closing this as there's now an advisory and products have been updated