2somethingOct 13

Fedi, help:
I am trying to use cwebp to convert images to webp. I have previously done this successfully in an arch distrobox. Now, though, it doesn't work.

distrobox enter arch bash: warning: setlocale: LC_CTYPE: cannot change locale (en_US.UTF-8): No such file or directory bash: warning: setlocale: LC_CTYPE: cannot change locale (en_US.UTF-8): No such file or directory bash: warning: setlocale: LC_COLLATE: cannot change locale (en_US.UTF-8): No such file or directory bash: warning: setlocale: LC_CTYPE: cannot change locale (en_US.UTF-8): No such file or directory bash: warning: setlocale: LC_CTYPE: cannot change locale (en_US.UTF-8): No such file or directory bash: warning: setlocale: LC_COLLATE: cannot change locale (en_US.UTF-8): No such file or directory cwebp -lossless -q 100 example.png -o example.webp bash: cwebp: command not foundI tried reinstalling libwebpsudo pacman -S libwebpbut it made no difference.

It seems to be an issue only affecting webp: I can still run any other cli program in my arch distrobox.
#Webp #Libwebp #Arch #Distrobox

EDIT: SOLVED! The issue was that I had libwebp installed but not libwebp-utils.

Jezus Michał "Le Wzdych" (on)Jan 16, 2025
Kolejny dzień, kolejna paczka #RustLang, która nie ufa dzielonym bibliotekom i zamiast tego używa swojej przypadkowej wersji #libwebp. A potem nagle trafia się CVE i z łaski swojej rozważa dopuszczenie możliwości statycznego wiązania z systemową biblioteką — tyle że było to półtora roku temu, i nic od tego czasu się nie ruszyło. A ja teraz się użeram z łataniem tego szajsu, bo coś się sypie użytkownikom #Gentoo, i jedyne co mi przychodzi do głowy to to, że włączona wersja libwebp kłóci się z systemową, której używa gtk4.
Jesus Michał "Le Sigh" 🏔 (he)Jan 16, 2025
Sigh. Another day, another #RustLang packages that doesn't trust shared libraries and instead bundles random version of #libwebp. Then hits a CVE and starts considering graciously permitting people to maybe statically link to the system library — except that was 1.5 year ago and nothing happened since. And now I'm patching that crap because shit is falling apart for #Gentoo users, and my best guess is that vendored libwebp is conflicting somehow with shared libwebp that gtk4 links to.
((Jann Gobble)) 🏳️‍🌈Oct 9, 2024

So, #HurricaneMilton is on the way and how do I kill my time waiting for this sucker? I recompile #FFMPEG 7.1 for all the options I've always wanted to use...but never get to compile correctly. Like #libwebp, #vidstab, and #libbluray!

Geez! I feel like @lisamelton right now! 😂❤️ I feel like this is what she does when she's stressed!

It was either this or rewatch all the Marvel movies... 😳

#Milton

Caitlin CondonFeb 4, 2024

It's been a few months since last year's #libwebp 0day (#CVE_2023_4863) came out, and I'm curious about whether the alarm has ratcheted down. It kinda seemed like this was potentially a pretty bad vuln if you're a political dissident using Electron apps to organize against oppressive governments, but probably not a super dangerous situation for most corporate networks (with basically no chance of broad automated exploitation). But as I think @TomSellers pointed out early on, the tail of apps that use the vulnerable library was always going to be long, and that usually means it's hard to track just how many are/were exploitable out of the box, and that it could be years before high-impact (remote) attack vectors are identified and fixed.

This is a fantastic overview: https://blog.isosceles.com/the-webp-0day/

The WebP 0day

Early last week, Google released a new stable update for Chrome. The update included a single security fix that was reported by Apple's Security Engineering and Architecture (SEAR) team. The issue, CVE-2023-4863, was a heap buffer overflow in the WebP image library, and it had a familiar warning attached: "Google

Isosceles Blog
Gonçalo ValérioOct 30, 2023

"Patching the libwebp vulnerability across the Python ecosystem"

https://sethmlarson.dev/security-developer-in-residence-weekly-report-16?date=2023-10-25

#security #supplychain #python #libwebp

Patching the libwebp vulnerability across the Python ecosystem

This critical role would not be possible without funding from the OpenSSF Alpha-Omega Project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem! Vulnerabi...

Seth Michael Larson
Tedi HeriyantoOct 27, 2023

Seth Larson documented his experience mobilizing the Python ecosystem patching the libwebp vulnerability: https://sethmlarson.dev/security-developer-in-residence-weekly-report-16?date=2023-10-25

#python #patch #cve-2023-4863 #libwebp

Patching the libwebp vulnerability across the Python ecosystem

This critical role would not be possible without funding from the OpenSSF Alpha-Omega Project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem! Vulnerabi...

Seth Michael Larson
MatengOct 5, 2023
Hey #TYPO3 community and security experts, is there any advisory on the recent #libwebp vulnerability? It might be negligible for TYPO3 CMS and #ImageMagick, but I don't know. CVE-2023-4863, https://ubuntu.com/security/CVE-2023-4863
CVE-2023-4863 | Ubuntu

Ubuntu is an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.

Ubuntu
Mark HuntOct 4, 2023

Looking for some help, my company might not be able to fully patch CVE-2023-4863 aka BLASTPASS for a few days. Does anyone know a way of detecting exploitation of this through Splunk? Can you see it in web server logs? Next-gen firewall? WAF? I’m not seeing much info online about how to detect the exploitation.

#libwebp #cve20234863 #blastpass #splunk #siem

KetumbraOct 3, 2023
MS claim #cve20234863 is patched in Teams 1.6.00.26474 but still with Electron 19.1.8. Does anyone know if this means it's only patched in 'new' mode (Webview2) or always?
#libwebp #msteams