Does new Release of Magick.NET 13.3.0 address Webp - Heap Buffer Overflow vulnerability #6664
Replies: 3 comments 7 replies
-
|
This issue was remediated in the latest release of Windows ImageMagick. @dlemstra, can you confirm? |
Beta Was this translation helpful? Give feedback.
-
|
There was an update of libwebp to version 1.3.2 that resolves this issue as you can see in the release notes here: https://github.com/dlemstra/Magick.NET/releases/tag/13.3.0. |
Beta Was this translation helpful? Give feedback.
-
|
The only mention of WEBP at that link is "WEBP now respects ping (#6572)". No mention of the "webp buffer overflow" vulnerability. |
Beta Was this translation helpful? Give feedback.
-
|
@dlemstra , can you please confirm that the release 13.3.0 solves the webp buffer overflow issue? |
Beta Was this translation helpful? Give feedback.
-
|
Excuse my ignorance @dlemstra but is this patch also in ImageMagick or just Magick.NET? |
Beta Was this translation helpful? Give feedback.
-
|
We have also applied this patch in the Windows build of ImageMagick 7.1.1-17. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @dlemstra. Assuming we can also build from source to get this fix for Linux correct? |
Beta Was this translation helpful? Give feedback.
-
|
You will probably just need to update libwebp if you have a dynamic build. For a static build you do need a rebuild. |
Beta Was this translation helpful? Give feedback.
-
|
I would suggest explicitly stating this fix in the Changelog (https://github.com/ImageMagick/Website/blob/main/ChangeLog.md). |
Beta Was this translation helpful? Give feedback.
-
|
The ChangeLog is automatically generated by a script and reflects all commits made to the main repository. In our recent update, we've included the patched release of libwebp in the Windows binaries. If you're using a Linux system, we recommend using your package manager to ensure libwebp is up-to-date with the latest release. For those opting for source builds, the process involves two steps. First, install the latest release of libwebp, and then proceed to build ImageMagick from source. This ensures that it properly links to the libwebp delegate library with the patch that mitigates the vulnerability. |
Beta Was this translation helpful? Give feedback.
-
ImageMagick version
13.3.0
Operating system, version and so on
Windows
Description
Does this update address the "webp buffer overflow" vulnerability in Google Chrome, which potentially affects MagicNET,
https://nvd.nist.gov/vuln/detail/CVE-2023-4863…
Wondering if there is any plan to release or patch for overcome this vulnerability. Thanks!
Beta Was this translation helpful? Give feedback.
All reactions