Post links to your 64bit module repos here. Repo maintainers are responsible for resolving any issues caused by their xzm's.
-
Rapha_
- Shogun
- Posts: 238
- Joined: 12 Jun 2021, 21:59
- Distribution: Xfce 4.12 - 5.rc3 - x86_64
- Location: France
Post#1
by Rapha_ » 26 Sep 2023, 11:30
Following the
rava alert :
Vulnerability CVE-2023-4863 of Google's Libwebp - CAVE! - affecting main browsers and known programs
I suggest you place this new version in the module folder in order to update the current one.
9/13/2023: version 1.3.2
This is a binary compatible release.
* security fix for lossless decoder (chromium: #1479274, CVE-2023-4863)
it works for Porteus 5.0
md5sum 168e7a8b01dfd506b69c3614dab9fde7
libwebp-1.3.2-x86_64-1_slack15.0.xzm :
https://www.mediafire.com/file/xzxbnqam ... 0.xzm/file
But you also need to >
update your Internet browser <
Me I have chosen to deactivate WebP images in Firefox to protect myself from this vulnerability.
These images are everywhere and are regularly the source of security problems.
To deactivate WebP images in Firefox, in the address bar, type :
Enter
Then....Accept the risk and continue
Search : webp
image.webp.enabled True ---> False
Compare with this page :
https://developers.google.com/speed/webp/gallery1
Rapha_
-
Rava
- Contributor
- Posts: 5416
- Joined: 11 Jan 2011, 02:46
- Distribution: XFCE 5.01 x86_64 + 4.0 i586
- Location: Forests of Germany
Post#2
by Rava » 27 Sep 2023, 03:49
@All Make sure this module is in your base/ folder and
loaded after your module containing the vulnerable libwebp code:
Rava wrote: ↑22 Sep 2023, 00:09
Code: Select all
guest@rava:/mnt/live/memory/images$ find . 2>/dev/null |grep libwebp
./002-xorg.xzm/usr/lib64/libwebp.so
./002-xorg.xzm/usr/lib64/libwebp.so.7
./002-xorg.xzm/usr/lib64/libwebp.so.7.1.3
./002-xorg.xzm/usr/lib64/libwebpdecoder.so
./002-xorg.xzm/usr/lib64/libwebpdecoder.so.3
./002-xorg.xzm/usr/lib64/libwebpdecoder.so.3.1.3
./002-xorg.xzm/usr/lib64/libwebpdemux.so
./002-xorg.xzm/usr/lib64/libwebpdemux.so.2
./002-xorg.xzm/usr/lib64/libwebpdemux.so.2.0.9
./002-xorg.xzm/usr/lib64/libwebpmux.so
./002-xorg.xzm/usr/lib64/libwebpmux.so.3
./002-xorg.xzm/usr/lib64/libwebpmux.so.3.0.8
./002-xorg.xzm/usr/lib64/python3.9/site-packages/com/google/webp/__pycache__/libwebp.cpython-39.pyc
./002-xorg.xzm/usr/lib64/python3.9/site-packages/com/google/webp/_libwebp.cpython-39-x86_64-linux-gnu.so
./002-xorg.xzm/usr/lib64/python3.9/site-packages/com/google/webp/libwebp.py
./002-xorg.xzm/usr/lib64/python3.9/site-packages/libwebp-0.0-py3.9.egg-info
./002-xorg.xzm/var/lib/pkgtools/packages/libwebp-1.2.2-x86_64-1
Cave! There are programs using vulnerable libwebp code but you will not find it like so because it is hidden in its binaries or some of it shipped dependencies.
To be on the safe side: do not use any of the known programs unless there is a fixed version hardening against CVE-2023-4863. As browser, as I mentioned in my post on the vulnerability, palemoon is not vulnerable against this exploit so you can use PM in the mean time until your favourite browser is fixed.
Added in 10 minutes 3 seconds:
Rava wrote: ↑27 Sep 2023, 03:58
You can use virusscan.jotti.org to upload suspected malware code; I use it rarely but still use it over the years again and again. Best online scanner with the most supported scan engines out here. 
Cheers!
Yours Rava
Rava
-
ncmprhnsbl
- DEV Team
- Posts: 3941
- Joined: 20 Mar 2012, 03:42
- Distribution: v5.0-64bit
- Location: australia
-
Contact:
Post#3
by ncmprhnsbl » 27 Sep 2023, 04:11
be aware that this is included in Porteus-v.5.01
Forum Rules : https://forum.porteus.org/viewtopic.php?f=35&t=44
ncmprhnsbl
