Porteus

Porteus User Forum
https://forum.porteus.org/

libwebp-1.3.2 module - Security update

https://forum.porteus.org/viewtopic.php?f=49&t=11001

Page 1 of 1

libwebp-1.3.2 module - Security update

Posted: 26 Sep 2023, 11:30
by Rapha_
Following the rava alert :
Vulnerability CVE-2023-4863 of Google's Libwebp - CAVE! - affecting main browsers and known programs


I suggest you place this new version in the module folder in order to update the current one.
9/13/2023: version 1.3.2
This is a binary compatible release.
* security fix for lossless decoder (chromium: #1479274, CVE-2023-4863)
it works for Porteus 5.0

md5sum 168e7a8b01dfd506b69c3614dab9fde7 libwebp-1.3.2-x86_64-1_slack15.0.xzm :
https://www.mediafire.com/file/xzxbnqam ... 0.xzm/file



But you also need to > update your Internet browser <

Me I have chosen to deactivate WebP images in Firefox to protect myself from this vulnerability.

These images are everywhere and are regularly the source of security problems.



To deactivate WebP images in Firefox, in the address bar, type :

Code: Select all

about:config
Enter

Then....Accept the risk and continue

Search : webp

image.webp.enabled True ---> False

Compare with this page :
https://developers.google.com/speed/webp/gallery1

libwebp-1.3.2 module - Security update

Posted: 27 Sep 2023, 03:49
by Rava
@All Make sure this module is in your base/ folder and loaded after your module containing the vulnerable libwebp code:
Rava wrote:
22 Sep 2023, 00:09

Code: Select all

guest@rava:/mnt/live/memory/images$ find . 2>/dev/null |grep libwebp
./002-xorg.xzm/usr/lib64/libwebp.so
./002-xorg.xzm/usr/lib64/libwebp.so.7
./002-xorg.xzm/usr/lib64/libwebp.so.7.1.3
./002-xorg.xzm/usr/lib64/libwebpdecoder.so
./002-xorg.xzm/usr/lib64/libwebpdecoder.so.3
./002-xorg.xzm/usr/lib64/libwebpdecoder.so.3.1.3
./002-xorg.xzm/usr/lib64/libwebpdemux.so
./002-xorg.xzm/usr/lib64/libwebpdemux.so.2
./002-xorg.xzm/usr/lib64/libwebpdemux.so.2.0.9
./002-xorg.xzm/usr/lib64/libwebpmux.so
./002-xorg.xzm/usr/lib64/libwebpmux.so.3
./002-xorg.xzm/usr/lib64/libwebpmux.so.3.0.8
./002-xorg.xzm/usr/lib64/python3.9/site-packages/com/google/webp/__pycache__/libwebp.cpython-39.pyc
./002-xorg.xzm/usr/lib64/python3.9/site-packages/com/google/webp/_libwebp.cpython-39-x86_64-linux-gnu.so
./002-xorg.xzm/usr/lib64/python3.9/site-packages/com/google/webp/libwebp.py
./002-xorg.xzm/usr/lib64/python3.9/site-packages/libwebp-0.0-py3.9.egg-info
./002-xorg.xzm/var/lib/pkgtools/packages/libwebp-1.2.2-x86_64-1
Cave! There are programs using vulnerable libwebp code but you will not find it like so because it is hidden in its binaries or some of it shipped dependencies.

To be on the safe side: do not use any of the known programs unless there is a fixed version hardening against CVE-2023-4863. As browser, as I mentioned in my post on the vulnerability, palemoon is not vulnerable against this exploit so you can use PM in the mean time until your favourite browser is fixed.

Added in 10 minutes 3 seconds:
Rava wrote:
27 Sep 2023, 03:58
 You can use virusscan.jotti.org to upload suspected malware code; I use it rarely but still use it over the years again and again. Best online scanner with the most supported scan engines out here. :)

libwebp-1.3.2 module - Security update

Posted: 27 Sep 2023, 04:11
by ncmprhnsbl
be aware that this is included in Porteus-v.5.01
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/