Jump to content
You must now use your email address to sign in [click for more info] ×

Update the WebP library to the latest version to prevent possible vulnerability attacks


Recommended Posts

A number of vulnerabilities in Google's WebP image format have recently become known that allow attackers to trigger memory errors (heap buffer overflow) in unspecified ways. This usually means that malicious code can get onto systems and attackers can completely compromise computers. – Therefore, it makes sense to update the Webp library accordingly to prevent and close this WebP gap for Affinity products.

☛ Affinity Designer 1.10.6 ◆ Affinity Photo 1.10.6 ◆ Affinity Publisher 1.10.6 ◆ OSX El Capitan
☛ Affinity V2 apps still not installed and thus momentary not in use under MacOS

Link to comment
Share on other sites

On 9/15/2023 at 10:09 AM, myclay said:

I wonder if MSIX sandboxing helps here or not?

Sadly, not at all.

Thank you for mentioning this, @v_kyr, what a shame you posted this into Feedback section instead of bug section though.

Also, severity of this bug is so serious that Serif should issue an update to the whole V1 line as well...

Honorable mention: @Patrick Connor

Link to comment
Share on other sites

7 hours ago, CLC said:

what a shame you posted this into Feedback section instead of bug section though

First I wanted to place it into the bug section, but then thought Ok it's usually not an Affinity own bug but instead more a Google third-party used library (libwebp) security hole (bug) which can lead to vulnerability attacks.

Also so far didn't recherched, if the yet new released Affinity v2.2 versions do include a more recent (fixed) libwebp version here or not (?). If not they should update that one accordingly!

☛ Affinity Designer 1.10.6 ◆ Affinity Photo 1.10.6 ◆ Affinity Publisher 1.10.6 ◆ OSX El Capitan
☛ Affinity V2 apps still not installed and thus momentary not in use under MacOS

Link to comment
Share on other sites

  • Staff

It's fine being here. I have linked your request to the developer report, which is under consideration already.

Patrick Connor
Serif Europe Ltd

"There is nothing noble in being superior to your fellow man. True nobility lies in being superior to your previous self."  W. L. Sheldon

 

Link to comment
Share on other sites

  • 2 weeks later...
On 9/27/2023 at 3:26 PM, ATP said:

https://nvd.nist.gov/vuln/detail/CVE-2023-5129

Google has given this vulnerability a 10.0 base score, something basically never seen.

Yes, things obviously get now another dimension, the more becomes known about the libwebp security hole. - In order to be on the more safe & secure side here, any app which makes use of an older libwebp implementation should be updated to the newest release accordingly.

The whole reminds me somehow to the Apache Log4j Security Vulnerabilities, where thousends of server side apps (internal & external ones) used the Log4j API (for very long times) without knowing about the security hole in that one. Afterwards a lot of Java based services had to be changed world wide (step for step) in order to prevent the door opened by Log4j. - I see now the same coming for libwebp related software here!

.....................

Countless applications affected: Chaos at WebP gap

A security gap in the WebP graphics format affects significantly more applications beyond Google's Chrome.

Countless applications show pictures in Google WebP format. A weak point in the graphic format accordingly concerns all applications that use the format. In the beginning, Google only assigned the gap to the in -house web browser Chrome.
New gap = old gap?

In the meantime, however, Google has corrected itself and submitted the new entry CVE 2023-5129 with a critical classification (CVSS Score 10 out of 10) for the old security gap (CVE 2023-4863 "High").

However, this was declared invalid by Google after six hours. The reason is that the new entry twice with the old entry. For this purpose, the old entry has now been added that the gap in addition to Chrome also affects the complete Libwebp library that use many applications.

What an attack could look like is so far unclear. In the context of web browsers there is always talk of prepared HTML websites. It sounds like visiting a website with a malicious webp graphic can initiate an attack. If an attack is successful, malicious code gets to systems.
Affected applications

These include browsers such as Edge and Firefox, Linux distributions such as Debian and Ubuntu and applications such as LibreOffice, Slack and Signal Desktop. In addition, many applications that rely on the electron framework are affected. A security researcher on GitHub currently collects a list of vulnerable electron apps. The Electron version 1.3.2, on the other hand, should be secured.

The list of vulnerable applications is therefore long and not all security updates have been published. So users should look for patches and quickly install them. Safe expenses have already been published for Firefox, Thunderbird and Tails.

On X, a security researcher brings the webp gap in connection with the BlastPass baptized attacks (CVE-2023-41064 "high") to Apple systems by the controversial security company NSO Group. There are currently no further details.

☛ Affinity Designer 1.10.6 ◆ Affinity Photo 1.10.6 ◆ Affinity Publisher 1.10.6 ◆ OSX El Capitan
☛ Affinity V2 apps still not installed and thus momentary not in use under MacOS

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.