v_kyr Posted September 13 Share Posted September 13 A number of vulnerabilities in Google's WebP image format have recently become known that allow attackers to trigger memory errors (heap buffer overflow) in unspecified ways. This usually means that malicious code can get onto systems and attackers can completely compromise computers. – Therefore, it makes sense to update the Webp library accordingly to prevent and close this WebP gap for Affinity products. CLC and ATP 1 1 Quote ☛ Affinity Designer 1.10.6 ◆ Affinity Photo 1.10.6 ◆ Affinity Publisher 1.10.6 ◆ OSX El Capitan☛ Affinity V2 apps still not installed and thus momentary not in use under MacOS Link to comment Share on other sites More sharing options...
myclay Posted September 15 Share Posted September 15 I wonder if MSIX sandboxing helps here or not? CLC 1 Quote Sketchbook (with Affinity Suite usage) | timurariman.com | gumroad.com/myclayWindows 11 Pro - 22H2 | Ryzen 5800X3D | RTX 3090 - 24GB | 128GB | Main SSD with 1TB | SSD 4TB | PCIe SSD 256GB (configured as Scratch disk) | Link to comment Share on other sites More sharing options...
CLC Posted September 19 Share Posted September 19 On 9/15/2023 at 10:09 AM, myclay said: I wonder if MSIX sandboxing helps here or not? Sadly, not at all. Thank you for mentioning this, @v_kyr, what a shame you posted this into Feedback section instead of bug section though. Also, severity of this bug is so serious that Serif should issue an update to the whole V1 line as well... Honorable mention: @Patrick Connor myclay 1 Quote Why relying on your users to report errors is the dumbest thing you’ll ever do Link to comment Share on other sites More sharing options...
v_kyr Posted September 19 Author Share Posted September 19 7 hours ago, CLC said: what a shame you posted this into Feedback section instead of bug section though First I wanted to place it into the bug section, but then thought Ok it's usually not an Affinity own bug but instead more a Google third-party used library (libwebp) security hole (bug) which can lead to vulnerability attacks. Also so far didn't recherched, if the yet new released Affinity v2.2 versions do include a more recent (fixed) libwebp version here or not (?). If not they should update that one accordingly! CLC, myclay and PaulEC 1 2 Quote ☛ Affinity Designer 1.10.6 ◆ Affinity Photo 1.10.6 ◆ Affinity Publisher 1.10.6 ◆ OSX El Capitan☛ Affinity V2 apps still not installed and thus momentary not in use under MacOS Link to comment Share on other sites More sharing options...
Staff Patrick Connor Posted September 19 Staff Share Posted September 19 It's fine being here. I have linked your request to the developer report, which is under consideration already. _Th, myclay, CLC and 2 others 3 2 Quote Patrick Connor Serif Europe Ltd Latest V2 releases on each platform Help make our apps better by joining our beta program! "There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self." W. L. Sheldon Link to comment Share on other sites More sharing options...
ATP Posted Wednesday at 01:26 PM Share Posted Wednesday at 01:26 PM https://nvd.nist.gov/vuln/detail/CVE-2023-5129 Google has given this vulnerability a 10.0 base score, something basically never seen. Quote Link to comment Share on other sites More sharing options...
v_kyr Posted Thursday at 03:32 PM Author Share Posted Thursday at 03:32 PM On 9/27/2023 at 3:26 PM, ATP said: https://nvd.nist.gov/vuln/detail/CVE-2023-5129 Google has given this vulnerability a 10.0 base score, something basically never seen. Yes, things obviously get now another dimension, the more becomes known about the libwebp security hole. - In order to be on the more safe & secure side here, any app which makes use of an older libwebp implementation should be updated to the newest release accordingly. The whole reminds me somehow to the Apache Log4j Security Vulnerabilities, where thousends of server side apps (internal & external ones) used the Log4j API (for very long times) without knowing about the security hole in that one. Afterwards a lot of Java based services had to be changed world wide (step for step) in order to prevent the door opened by Log4j. - I see now the same coming for libwebp related software here! ..................... Countless applications affected: Chaos at WebP gap A security gap in the WebP graphics format affects significantly more applications beyond Google's Chrome. Countless applications show pictures in Google WebP format. A weak point in the graphic format accordingly concerns all applications that use the format. In the beginning, Google only assigned the gap to the in -house web browser Chrome. New gap = old gap? In the meantime, however, Google has corrected itself and submitted the new entry CVE 2023-5129 with a critical classification (CVSS Score 10 out of 10) for the old security gap (CVE 2023-4863 "High"). However, this was declared invalid by Google after six hours. The reason is that the new entry twice with the old entry. For this purpose, the old entry has now been added that the gap in addition to Chrome also affects the complete Libwebp library that use many applications. What an attack could look like is so far unclear. In the context of web browsers there is always talk of prepared HTML websites. It sounds like visiting a website with a malicious webp graphic can initiate an attack. If an attack is successful, malicious code gets to systems. Affected applications These include browsers such as Edge and Firefox, Linux distributions such as Debian and Ubuntu and applications such as LibreOffice, Slack and Signal Desktop. In addition, many applications that rely on the electron framework are affected. A security researcher on GitHub currently collects a list of vulnerable electron apps. The Electron version 1.3.2, on the other hand, should be secured. The list of vulnerable applications is therefore long and not all security updates have been published. So users should look for patches and quickly install them. Safe expenses have already been published for Firefox, Thunderbird and Tails. On X, a security researcher brings the webp gap in connection with the BlastPass baptized attacks (CVE-2023-41064 "high") to Apple systems by the controversial security company NSO Group. There are currently no further details. ATP 1 Quote ☛ Affinity Designer 1.10.6 ◆ Affinity Photo 1.10.6 ◆ Affinity Publisher 1.10.6 ◆ OSX El Capitan☛ Affinity V2 apps still not installed and thus momentary not in use under MacOS Link to comment Share on other sites More sharing options...
v_kyr Posted Friday at 12:27 PM Author Share Posted Friday at 12:27 PM The libwebp library version 1.3.2 is the actual fixed one! Quote ☛ Affinity Designer 1.10.6 ◆ Affinity Photo 1.10.6 ◆ Affinity Publisher 1.10.6 ◆ OSX El Capitan☛ Affinity V2 apps still not installed and thus momentary not in use under MacOS Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.