mgorny-nyan (on) 
🙀🚂🐧Kolejny dzień, kolejna paczka #RustLang, która nie ufa dzielonym bibliotekom i zamiast tego używa swojej przypadkowej wersji #libwebp. A potem nagle trafia się CVE i z łaski swojej rozważa dopuszczenie możliwości statycznego wiązania z systemową biblioteką — tyle że było to półtora roku temu, i nic od tego czasu się nie ruszyło. A ja teraz się użeram z łataniem tego szajsu, bo coś się sypie użytkownikom #Gentoo, i jedyne co mi przychodzi do głowy to to, że włączona wersja libwebp kłóci się z systemową, której używa gtk4.
mgorny-nyan (he) 
🙀🚂🐧Sigh. Another day, another #RustLang packages that doesn't trust shared libraries and instead bundles random version of #libwebp. Then hits a CVE and starts considering graciously permitting people to maybe statically link to the system library — except that was 1.5 year ago and nothing happened since. And now I'm patching that crap because shit is falling apart for #Gentoo users, and my best guess is that vendored libwebp is conflicting somehow with shared libwebp that gtk4 links to.
((Jann Gobble)) 🏳️🌈So, #HurricaneMilton is on the way and how do I kill my time waiting for this sucker? I recompile #FFMPEG 7.1 for all the options I've always wanted to use...but never get to compile correctly. Like #libwebp, #vidstab, and #libbluray!
Geez! I feel like @lisamelton right now! 😂❤️ I feel like this is what she does when she's stressed!
It was either this or rewatch all the Marvel movies... 😳
Caitlin CondonIt's been a few months since last year's #libwebp 0day (#CVE_2023_4863) came out, and I'm curious about whether the alarm has ratcheted down. It kinda seemed like this was potentially a pretty bad vuln if you're a political dissident using Electron apps to organize against oppressive governments, but probably not a super dangerous situation for most corporate networks (with basically no chance of broad automated exploitation). But as I think @TomSellers pointed out early on, the tail of apps that use the vulnerable library was always going to be long, and that usually means it's hard to track just how many are/were exploitable out of the box, and that it could be years before high-impact (remote) attack vectors are identified and fixed.
This is a fantastic overview: https://blog.isosceles.com/the-webp-0day/
The WebP 0day
Early last week, Google released a new stable update for Chrome. The update included a single security fix that was reported by Apple's Security Engineering and Architecture (SEAR) team. The issue, CVE-2023-4863, was a heap buffer overflow in the WebP image library, and it had a familiar warning attached: "Google
Gonçalo Valério"Patching the libwebp vulnerability across the Python ecosystem"
https://sethmlarson.dev/security-developer-in-residence-weekly-report-16?date=2023-10-25
Tedi HeriyantoSeth Larson documented his experience mobilizing the Python ecosystem patching the libwebp vulnerability: https://sethmlarson.dev/security-developer-in-residence-weekly-report-16?date=2023-10-25
MatengHey #TYPO3 community and security experts, is there any advisory on the recent #libwebp vulnerability? It might be negligible for TYPO3 CMS and #ImageMagick, but I don't know. CVE-2023-4863, https://ubuntu.com/security/CVE-2023-4863
Mark HuntLooking for some help, my company might not be able to fully patch CVE-2023-4863 aka BLASTPASS for a few days. Does anyone know a way of detecting exploitation of this through Splunk? Can you see it in web server logs? Next-gen firewall? WAF? I’m not seeing much info online about how to detect the exploitation.
KetumbraMS claim #cve20234863 is patched in Teams 1.6.00.26474 but still with Electron 19.1.8. Does anyone know if this means it's only patched in 'new' mode (Webview2) or always?
#libwebp #msteams
#libwebp #msteams
dadaFaille critique WebP : les dangers d'une mauvaise communication - https://www.nextinpact.com/article/72512/faille-critique-webp-dangers-dune-mauvaise-communication
> Il y a deux semaines, #Google avait publié un bulletin de sécurité concernant une faille dans la bibliothèque #libwebp. Il y a quelques jours, la société a révisé la dangerosité de la note, lui attribuant un 10, soit le maximum. Que s’est-il passé ?
