Closed bes-internal closed 9 months ago
Will do. It's not immediately clear if this affects decoding, however, which would be the only attack path (Imageflow only allows lossless/quality configuration of webp encoding).
I apologize and probably didn't figure out the correct cve number myself. Most likely I wanted to give this https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863 https://blog.isosceles.com/the-webp-0day/
Thank you. I've patched it, and also updated every other dependency in the project due to some interlocking restrictions.
https://github.com/imazen/imageflow/security/advisories/GHSA-7vpr-3ppw-qrpj
I'm closing this as there's now an advisory and products have been updated
need to update libwebp-sys dependency to version >=0.9.1
ref: https://github.com/NoXF/libwebp-sys/issues/18 ref: https://www.cve.org/CVERecord?id=CVE-2023-1999