Critical WebP bug: many apps, not just browsers, under threat

Topic

New Reply

[Alex5723]

https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/

The heap buffer overflow (CVE-2023-4863) vulnerability in the WebP Codec is being actively exploited in the wild.

A significant vulnerability in the WebP Codec has been unearthed, prompting major browser vendors, including Google and Mozilla, to expedite the release of updates to address the issue.

Update (9/13/2023): So far the Web Browsers that have confirmed a fix and released an update include: Google Chrome[1], Mozilla Firefox[2], Brave[3], and Microsoft Edge[4]. If your browser of choice is using Chromium then expect an update to already be rolled out or will be done shortly.

⚠️ Important: Let me make it perfectly clear that this vulnerability doesn’t just affect web browsers, it affects any software that uses the libwebp library…

Who uses libwebp? There are a lot of applications that use libwebp to render WebP images, I already mentioned a few of them, but some of the others that I know include: Affinity (the design software), Gimp, Inkscape, LibreOffice, Telegram, Thunderbird (now patched), ffmpeg, and many, many Android applications as well as cross-platform apps built with Flutter.

Update (9/14/2023): 1Password for Mac have released an update to address the issue. 1Password (like many others) is an application built with Electron, and until all these apps upgrade to the latest version – they are considered vulnerable based on the severity of the bug…

• This topic was modified 1 year, 8 months ago by Alex5723.

4 users thanked author for this post.

deuxbits, snissen, windbg, NaNoNyMouse

Reply | Quote

Replies

Pale Moon /fixed

3 users thanked author for this post.

wavy, Cybertooth, Microfix

Reply | Quote

For more info on Palemoon

v32.4.0.1 (2023-09-14)
This is a point release update to address a critical security vulnerability.
Changes/fixes:
Fixed a WebP decoder issue (CVE 2023-4863)

Vivaldi have also mitigated CVE-2023-4863 on the 12th sept 2023:

[Chromium] Upgraded to 116.0.5845.195: fixes CVE-2023-4863 — Heap buffer overflow in WebP. Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School on 2023-09-06

Gimp 2.10.36 will address the issue when compiled and released, according to the BugTracker

As for older versions offered within linux distro repo’s, the headache begins..

Windows - commercial by definition and now function...

5 users thanked author for this post.

deuxbits, Cybertooth, NaNoNyMouse, Alex5723, satrow

Reply | Quote

XnViewMP has libwebp 1.3.0, which I believe is affected.

 

Reply | Quote

Microsoft Edge fixed this three days ago in version 116.0.1938.81

Reply | Quote

Ubuntu based Linux distros:
Ref: https://ubuntu.com/security/notices

USN-6369-1: libwebp vulnerability
14 September 2023
libwebp could be made to crash or run programs if it opened a specially crafted file.

CVE-2023-4863

Ubuntu 23.04 | Ubuntu 22.04 LTS | Ubuntu 20.04 LTS

Debian based distro’s (sans Ubuntu):
Ref: https://www.debian.org/security/2023/dsa-5497

Applicable updates will be filtering through your choice of distro via the updater.

Windows - commercial by definition and now function...

1 user thanked author for this post.

DrBonzo

Reply | Quote

Already showed up on Mint 20.3 and 21.1. Updated one 20.3 and two 21.1 machines; no issues.

2 users thanked author for this post.

bassmanzam, Microfix

Reply | Quote

There’s a MSWebp.dll in System32 which dates from 2021. (up-to-date win10)

1 user thanked author for this post.

deuxbits

Reply | Quote

technic wrote:

MSWebp.dll in System32

Which seems to have no relation to https://github.com/webmproject/libwebp

1 user thanked author for this post.

deuxbits

Reply | Quote

It seems to be part of Media Foundation and/or WIC (Windows Imaging Component), though the support for WebP is rather undocumented.

If it’s a wrapper for the open source library, it could have the same vulnerability. However, the file size looks too small to be a full WebP implementation.

There’s also MSWebp_store.dll.

Reply | Quote

The latest stable version of MPC-HC, 2.0.0, which has been released many months ago, is vulnerable too.

Same for the latest stable SumatraPDF.

1 user thanked author for this post.

Alex5723

Reply | Quote

LibreWolf 117.0.1-1 with fixed webP

Reply | Quote

Basilisk browser v2023.09.15 mitigates the webP decoder issue (CVE 2023-4863)

Windows - commercial by definition and now function...

Reply | Quote

Edge Version 109.0.1518.140: September 15, 2023
For Windows 7, 8, 8.1, 2012 R2.
Fixed webP

https://www.askwoody.com/forums/topic/microsofts-edge-109-updates-for-windows-7-8-8-1-2012-r2/

Reply | Quote

Alex5723 wrote:

Who uses libwebp? There are a lot of applications that use libwebp to render WebP images, I already mentioned a few of them, but some of the others that I know include: Affinity (the design software), Gimp, Inkscape, LibreOffice, Telegram, Thunderbird (now patched), ffmpeg, and many, many Android applications as well as cross-platform apps built with Flutter.

I guess you can add Pix to that list.  Pix is a program I use to convert webp picture files to jpg or png files.  Pix comes with Linux Mint Cinnamon.

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

1 user thanked author for this post.

Alex5723

Reply | Quote

Mp3Tag 3.22b updated for webP

Reply | Quote

MPC-HC does not use libwebp

1 user thanked author for this post.

Alex5723

Reply | Quote