https://github.com/chai2010/webp is a dependency of mautrix-whatsapp and is currently vulnerable to CVE-2023-4863. Unfortunately it also seems to be unmaintained (no commit in 18 months, long backlog of untriaged issues and PRs).
It's unclear to me what kind of exposure mautrix-whatsapp would have to CVE-2023-4863, but I suspect you'd be better off changing webp library anyway (maybe in favor of the pure-Go https://pkg.go.dev/golang.org/x/image/webp which happens to also be the more popular alternative).
The official one doesn't do encoding, but I guess the bridge could use that for decoding and the unmaintained one for encoding until someone comes up with a better option
Hi!
https://github.com/chai2010/webp is a dependency of mautrix-whatsapp and is currently vulnerable to CVE-2023-4863. Unfortunately it also seems to be unmaintained (no commit in 18 months, long backlog of untriaged issues and PRs).
It's unclear to me what kind of exposure mautrix-whatsapp would have to CVE-2023-4863, but I suspect you'd be better off changing webp library anyway (maybe in favor of the pure-Go https://pkg.go.dev/golang.org/x/image/webp which happens to also be the more popular alternative).
cc @chvp ref nixos/nixpkgs#254798
Best,