New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assess impact of recent libwebp CVE #7925
Comments
As discussed on Discord, generally wesnoth uses whatever is present on the system which is generally not provided directly by us. So the MacCompileStuff libwebp needs to be updated and the docker image for crosscompiling the Windows version needs to be updated once a newer msys2 installer is available, but that'd be it. |
What mitigation measures do you expect wesnoth to do? If wesnoth is run with a vulnerable libwebp then it's vulnerable, if not then it's not. |
Well perhaps if it's built against an older version of libwebp, it could perform some additional validation of any webp images before feeding them to libwebp. Or, building against older versions of libwebp could be turned into a configure-time error (although that would probably be pretty annoying) |
Ah, I missed that due to the Discord outage earlier today...
OK, I opened hrubymar10/MacCompileStuff#2 about that. |
It's not relevant what it's built against. It's relevant what is used at runtime. There is no ABI change involved here. I suppose we could add a runtime check and warn the user or something. Or scan the addon server for webp images that look like they're trying to exploit that bug but honestly I would not expect that to have much impact on anything besides create a bunch of work and more chances for mistakes... |
I don't see it as being useful for us to implement our own custom check for this. We'll update to a non-vulnerable version as soon as we can, but I don't think it's our responsibility to do anything beyond that. |
More on "the libwebp bug": https://mathstodon.xyz/@neilbickford/111219551929188817 |
The msys2 part of this should be resolved as of 47eef10 |
OK, so now we're just waiting on @hrubymar10 to update MacCompileStuff as per hrubymar10/MacCompileStuff#2, then? |
Re-pinning this, unless anyone has another issue they want pinned instead. |
OK so hrubymar10/MacCompileStuff#2 is closed now; can someone verify that it works? |
@cooljeanius This version of MCS is included in 1.17.24 release. You can try it yourself if you want. |
Describe the desired feature
There was recently a disclosure of a major webp vulnerability that lots of projects are rushing to patch: https://www.bleepingcomputer.com/news/security/google-assigns-new-maximum-rated-cve-to-libwebp-bug-exploited-in-attacks/
Wesnoth should assess this CVE's impact on its own webp usage, and make any changes necessary to mitigate it.
The text was updated successfully, but these errors were encountered: