Is this app affected by the libwebp 0day?

leinelissen / jellyfin-audio-player

🎵 A gorgeous Jellyfin audio streaming app for iOS and Android

https://fintunes.app

MIT License

657 stars 26 forks source link

Is this app affected by the libwebp 0day? #182

Closed linsui closed 2 months ago

linsui commented 7 months ago

It uses react-native-skia which doesn't update libwebp yet. Is it used to display the cover images?

leinelissen commented 7 months ago

That's correct, thanks for bringing it up. We're using react-native-skia to render the cover images and blur. The rest is rendered using react-native-fast-image, which I imagine is vulnerable to the CVE as well. I would love to update both dependencies, but I am bound by them making a version available with the fixed version of libwebp. I will check this during this weekend.

linsui commented 7 months ago

Looks lIke react-native-fast-image is only affected on iOS. On Android I guess the system libwebp is used.

leinelissen commented 2 months ago

I've just updated the react-native-skia version, as well as the downstream libwebp dependency in react-native-fast-image. This covers everything on the iOS side, while libwebp is natively supported on Android, so no action is required from our end.