I'll take a guess on what the telegram exploit is. Mostly because people seem to be concerned and there is little information and the recommendation appears to be "Disable automatic media download" but I am worried about the mixture of severity and lack of information and at least thought to speculate based on information available and what I can see.

--

Now, please do keep in mind that I have spent like 15mins on this and have hardly done anything serious but hearing "Please do this thing to prevent an exploit but I don't have details" isn't exactly ideal. I'm also jumping to some conclusions as what is exploitable

--

1. Got notified regarding to this CVE via a friend.

* CVE for Telegram - https://bsky.app/profile/redteef.bsky.social/post/3mi3ki5tip227

The main advice appears to be disable automatic media download - My assumption is that some library related to processing media appears to have some issue.

2. pmap of my running telegram process - Saw libjxl and wondered what state it was in (Refer to media attached)

3. Looked up issues related to libjxl on github - https://github.com/libjxl/libjxl/issues/4539
and https://github.com/libjxl/libjxl/issues/4539
"ibjxl JPEG XL decoder crash due to uninitialized pointer access in malformed images" - One of the screenshots output "Illegal Instruction (Core Dump)" which is sinister, this can include the CPU attempting to execute an instruction it doesn't understand and if that segment can be manipulated, this can potentially lead to arbitrary code execution.

Which then also lead me to this: https://github.com/advisories/GHSA-76gx-97cq-65f5

---

Disclaimer: I can't say it is even about libjxl or related to the CVE mentioned in 1 but I can at least see an attack like so: (which gives weight to disabling media for telegram).

1. Attacker crafts a suitable image to manipulate the decoder, image contains data that can either manipulate the pointer and/or data that the segment it could point to (for reference, just enough data to get a shell or establish a connection to something else is enough)

2. Attacker sends the image on a platform where the user using this library can then decode it.

3. The image that is decoded will then be able to execute the payload - Attacker could gain control via this method.

---

While this may seem silly but please also do not hound or abuse the devs at libjxl. Last thing I want are people who are trying to do their best to fix the issues I have listed and do not control what telegram includes in their builds.

#telegram #cve #attachments #media #libjxl #psa

JPEG XL лучше всех, но Google против

JPEG XL превосходит все форматы по уровню сжатия и визуальному восприятию (DSSIM), источник Оригинальный формат JPEG разработан в далёком 1992 году и уже устарел. Вопрос в том, кто придёт ему на смену. Идеальной заменой казался JPEG XL , в сравнительных тестах он показывает превосходство над AVIF, WebP и другими форматами. Можно было бы сказать, что будущее за JPEG XL, если бы не один нюанс: в 2022 году корпорация Google почему-то удалила его поддержку из браузера Chrome. И не хочет возвращать обратно.

https://habr.com/ru/companies/ruvds/articles/835150/

#JPEG XL #Jpegli #Google #сжатие_изображений #сжатие_без_потерь #FLIF #WebP #PNG #AVIF #Chrome #Chromium #JPEG_XL_Viewer #JXL #libjxl #ruvds_статьи

#libjxl 0.10 is out, and now #JPEGXL beats #AVIF even more than before.

"""
The new version of libjxl brings a very substantial reduction in memory consumption, by an order of magnitude, for both lossy and lossless compression. Also the speed is improved, especially for multi-threaded lossless encoding where the default effort setting is now an order of magnitude faster.

This consolidates JPEG XL’s position as the best image codec currently available, for both lossless and lossy compression, across the quality range but in particular for high quality to visually lossless quality. It is Pareto-optimal across a wide range of speed settings.
"""

https://cloudinary.com/blog/jpeg-xl-and-the-pareto-front

Wyszło #libjxl 0.10, i #JPEGXL bije #AVIF jeszcze bardziej.

"""
Nowa wersja libjxl przynosi znaczną redukcję zużycia pamięci, o rząd wielkości, zarówno dla kompresji stratnej, jak i bezstratnej. Poprawiono również wydajność, zwłaszcza dla wielowątkowej kompresji bezstratnej, dla których domyślnie ustawienie "wysiłku" jest teraz o rząd wielkości wydajniejsze.

To konsoliduje pozycję JPEG XL jako najlepszego, obecnie dostępnego kodeku graficznego, zarówno dla kompresji bezstratnej, jak i stratnej, dla szerokiego zakresu ustawień jakości, a w szczególności dla zakresu jakości wysokiej do wizualnie bezstratnej. Jest Pareto-optymalny dla szerokiego zakresu ustawień szybkości.
"""
(tłum. własne)

https://cloudinary.com/blog/jpeg-xl-and-the-pareto-front

Wow, I just woke up and I discovered that @pandoc released its 3.0 version, @eleventy 2.0 beta is out, and #libjxl released version 0.8.0.

What a great night for #FOSS!

#FLOSS #JXL #JpegXL #eleventy #11ty #OpenSource #Pandoc