webp icon indicating copy to clipboard operation
webp copied to clipboard
verified publisher icon chai2010

CVE-2023-4863 impacting libwebp 1.0.2

Open delroth opened this issue 2 years ago • 4 comments

Hi!

This Go library vendors libwebp 1.0.2, which is vulnerable to CVE-2023-4863 (critical severity buffer overflow in libwebp image decoding). Upstream has a 1.0.3 available with the vulnerability fixed: https://github.com/webmproject/libwebp/tree/1.0.3

Could you please update the vendored libwebp and tag a new release of this library so dependents can get updated?

Thank you!

delroth avatar Sep 18 '23 18:09 delroth

please @chai2010 can you push this change?

nikooo777 avatar Apr 11 '24 14:04 nikooo777

@chai2010 hey, please update the package.

trunov avatar Apr 29 '24 09:04 trunov

nice, that happened! this can finally be closed now

nikooo777 avatar Apr 30 '24 16:04 nikooo777

Thanks for the update, Any idea when release 1.0.3 will be available?

cogtea avatar Aug 14 '24 18:08 cogtea