Assess impact of recent libwebp CVE

[cooljeanius]

Describe the desired feature

There was recently a disclosure of a major webp vulnerability that lots of projects are rushing to patch: https://www.bleepingcomputer.com/news/security/google-assigns-new-maximum-rated-cve-to-libwebp-bug-exploited-in-attacks/
Wesnoth should assess this CVE's impact on its own webp usage, and make any changes necessary to mitigate it.

[Pentarctagon]

As discussed on Discord, generally wesnoth uses whatever is present on the system which is generally not provided directly by us. So the MacCompileStuff libwebp needs to be updated and the docker image for crosscompiling the Windows version needs to be updated once a newer msys2 installer is available, but that'd be it.

[soliton-]

What mitigation measures do you expect wesnoth to do? If wesnoth is run with a vulnerable libwebp then it's vulnerable, if not then it's not.

[cooljeanius]

What mitigation measures do you expect wesnoth to do? If wesnoth is run with a vulnerable libwebp then it's vulnerable, if not then it's not.

Well perhaps if it's built against an older version of libwebp, it could perform some additional validation of any webp images before feeding them to libwebp. Or, building against older versions of libwebp could be turned into a configure-time error (although that would probably be pretty annoying)

[cooljeanius]

As discussed on Discord,

Ah, I missed that due to the Discord outage earlier today...

So the MacCompileStuff libwebp needs to be updated

OK, I opened hrubymar10/MacCompileStuff#2 about that.

[soliton-]

Well perhaps if it's built against an older version of libwebp, it could perform some additional validation of any webp images before feeding them to libwebp. Or, building against older versions of libwebp could be turned into a configure-time error (although that would probably be pretty annoying)

It's not relevant what it's built against. It's relevant what is used at runtime. There is no ABI change involved here.

I suppose we could add a runtime check and warn the user or something. Or scan the addon server for webp images that look like they're trying to exploit that bug but honestly I would not expect that to have much impact on anything besides create a bunch of work and more chances for mistakes...

[Pentarctagon]

I don't see it as being useful for us to implement our own custom check for this. We'll update to a non-vulnerable version as soon as we can, but I don't think it's our responsibility to do anything beyond that.

[cooljeanius]

More on "the libwebp bug": https://mathstodon.xyz/@neilbickford/111219551929188817

[Pentarctagon]

The msys2 part of this should be resolved as of 47eef10

[cooljeanius]

The msys2 part of this should be resolved as of 47eef10

OK, so now we're just waiting on @hrubymar10 to update MacCompileStuff as per hrubymar10/MacCompileStuff#2, then?

[Pentarctagon]

Re-pinning this, unless anyone has another issue they want pinned instead.

[cooljeanius]

The msys2 part of this should be resolved as of 47eef10

OK, so now we're just waiting on @hrubymar10 to update MacCompileStuff as per hrubymar10/MacCompileStuff#2, then?

OK so hrubymar10/MacCompileStuff#2 is closed now; can someone verify that it works?

[hrubymar10]

@cooljeanius This version of MCS is included in 1.17.24 release. You can try it yourself if you want.