-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Libwebp v1.0.0 存在CVE-2023-4863漏洞 #2746
Comments
[Log - HEAD - webm/libwebp - Git at Google (googlesource.com) |
fresco4.2以上版本是走系统的解码,源码里面依赖的libwep只是针对4.2以下版本才有用的 |
这是在哪做的判断呀,源码里么 |
|
I hope that fresco can update libwebp to 1.3.2 and force using it on all Android versions. Only the latest few Android versions will get the fix. Relying on the system webp support means exposing the users to attack. |
https://blog.isosceles.com/the-webp-0day/ 里面描述的触发调用堆栈入口为WebPDecode,根据WebpSupportStatus.java里面的判断,只针对nativeDecodeStream与nativeDecodeByteArray这2个函数,那么WebPFrame_nativeRenderFrame是否也可能受到影响,因为WebPFrame_nativeRenderFrame也会调用到WebPDecode,该接口是否也有可能受到该漏洞的影响? |
Please use Fresco version 3.1.3+ which has a newer version of libwebp. |
近期谷歌披露了WebP组件的高危漏洞CVE-2023-4863
由于该组件存在边界错误,远程攻击者可以通过精心构造的webp图片,触发基于堆的缓冲区溢出并在目标系统上执行任意代码
https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/
The text was updated successfully, but these errors were encountered: