[BUG] SkiaSharp vendors libwebp vulnerable to CVE-2023-4863

[delroth]

Description

SkiaSharp vendors (via mono/skia) a version of libwebp that is vulnerable to CVE-2023-4863.

Upstream skia picked up the fixed libwebp via google/skia@1176deb

Please:

1. Update mono's skia fork.
2. Release a new SkiaSharp version which isn't vulnerable to CVE-2023-4863 anymore.
3. Update the GHSA for CVE-2023-4863 (GHSA-j7hp-h8jx-5ppr) so that dependents get alerted of the vulnerability in SkiaSharp. (Happy to take care of that myself otherwise when a new release is available)

Thank you!

Code

n/a

Expected Behavior

No response

Actual Behavior

No response

Version of SkiaSharp

2.88.3 (Current)

Last Known Good Version of SkiaSharp

Other (Please indicate in the description)

IDE / Editor

Other (Please indicate in the description)

Platform / Operating System

All

Platform / Operating System Version

No response

Devices

No response

Relevant Screenshots

No response

Relevant Log Output

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[mattleibow]

Thanks for the issue, PRs building and will get a release ASAP.

[darakian]

@mattleibow feel free to ping over on github/advisory-database#2727 (or @ me or whatever) when ready and I can get your package (with affected versions) added to the GHSA and get dependabot alerts going out to your users if you like 😄

[mattleibow]

Patched versions are:

• 3.x alpha and this is version 3.0.0-alpha.1.27 on the feed https://aka.ms/skiasharp-eap/index.json
• 2.x stable and this is version 2.88.6 and this is on nuget: https://www.nuget.org/packages/SkiaSharp/2.88.6

[delroth]

Thank you very much for your help with this issue!

[JohnHSE]

My understanding is that webp 1.3.2 still has the vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-4863
@mattleibow you might want to reopen this?

EDIT: Never mind, missed the 'prior to'. Please ignore