• optissima@possumpat.io
      link
      fedilink
      arrow-up
      5
      ·
      4 months ago

      In September 2023, two critical vulnerabilities[108] relating to WebP images were discovered by Apple Security Engineering and Architecture (SEAR) and the Citizen Lab, potentially affecting Google Chrome, Chromium-based browsers and the Google’s libwebp project, among any application implementing libwebp. Among these vulnerabilities, CVE-2023-4863 was an actively exploited vulnerability with a high risk rating of CVSS 8.8. This could lead to an out of bounds/overflow condition in applications using the affected libwebp library, upon exploitation of a maliciously crafted .webp lossless file. This could result in a denial of service (DoS), or worse, enabling malicious remote code execution (RCE). The extensive use of libwebp packages across hundreds of applications, including all categories from web browsers to mobile apps, posed a major patching challenge to mitigate the vulnerability due to the demanding testing requirements before release, highlighting the implications of this vulnerability on a wide scale.

      https://en.m.wikipedia.org/w/index.php?title=WebP

      • miridius@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        4 months ago

        So what, we’re not supposed to use any library that’s ever had a vulnerability? You better go uninstall literally everything on your computer then

    • Gianni R@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      4 months ago

      It is a modern successor to formats like WebP & JPEG. WebP was barely competitive with JPEG