Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Update libwebp-sys to fix CVE-2023-1999 #23

Closed
w-flo opened this issue May 19, 2023 · 2 comments
Closed

Update libwebp-sys to fix CVE-2023-1999 #23

w-flo opened this issue May 19, 2023 · 2 comments
Assignees
@jaredforth

Comments

@w-flo
Copy link

w-flo commented May 19, 2023

Hi!

libwebp-sys just released version 0.9.1 that includes not-yet-released code from libwebp git's 1.3.0 branch. libwebp 1.3.0 appears to be affected by CVE-2023-1999, which might allow arbitrary code execution by a remote attacker because of a double-free.

The CVE situation is a bit confusing because Google hasn't released 1.3.1, even though they fixed the double free in February and the CVE was filed last month (without any details), and Firefox shipped that patch in Firefox 112, refering to CVE-2023-1999, many weeks ago. Ubuntu just updated libwebp in their archives a few days ago to include the patch.

So it might be a good idea to update this crate's libwebp-sys version, too.
@jaredforth jaredforth self-assigned this May 19, 2023
@misl-smlz
Copy link
Contributor

misl-smlz commented Jul 4, 2023
edited
Loading

#25 / any updates on this?

@jaredforth
Copy link
Owner

Resolved in #25

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@jaredforth jaredforth

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@w-flo @jaredforth @misl-smlz