Webp 0 day vulnerability patch

Feature requests for VLC.
jediknight36
New Cone
New Cone
Posts: 2
Joined: 28 Sep 2023 22:13

Webp 0 day vulnerability patch

Postby jediknight36 » 28 Sep 2023 22:19

Hey all, I joined specifically to ask about the recent Webp 0 day patch revealed eariler this month. Some information about it is listed here: https://www.cyberkendra.com/2023/09/web ... e-for.html

On the list they reference from wikipedia, it lists VLC as an application that relies on this library of software. I checked and VLC hasnt been updated since last year, it looked like. Is there a planned update to patch this?

Rémi Denis-Courmont
Developer
Developer
Posts: 15266
Joined: 07 Jun 2004 16:01
VLC version: master
Operating System: Linux
Contact:

Re: Webp 0 day vulnerability patch

Postby Rémi Denis-Courmont » 29 Sep 2023 19:21

VLC normally uses libvpx to decode WebP.

In fact, libwebp is not directly supported by VLC, and it is also not included in VLC contribs, meaning that it is not part of official VLC binaries released on VideoLAN.org. So there are no plans to make any patch, because there is nothing to patch.
Rémi Denis-Courmont
https://www.remlab.net/
Private messages soliciting support will be systematically discarded

jediknight36
New Cone
New Cone
Posts: 2
Joined: 28 Sep 2023 22:13

Re: Webp 0 day vulnerability patch

Postby jediknight36 » 29 Sep 2023 19:26

Fantastic. I appreciate it

zfuss-litc
New Cone
New Cone
Posts: 1
Joined: 29 Sep 2023 23:17

Re: Webp 0 day vulnerability patch

Postby zfuss-litc » 29 Sep 2023 23:24

Hi Rémi, appeciate your hard work on VLC.

Could you comment on a similar CVE that affects libvpx? https://nvd.nist.gov/vuln/detail/CVE-2023-5217

Similar to how the libwebp vulnerability (CVE-2023-4863) was first handled, I believe Google has mistakenly marked this as affecting only Chrome. A confirmation one way or the other would be fantastic.

Thanks

Rémi Denis-Courmont
Developer
Developer
Posts: 15266
Joined: 07 Jun 2004 16:01
VLC version: master
Operating System: Linux
Contact:

Re: Webp 0 day vulnerability patch

Postby Rémi Denis-Courmont » 30 Sep 2023 10:35

That is being worked on, but as far as is known, this only affects encoding not decoding. So it is a very minor concern in the context of VLC: You would not encode VP8 without knowing, and it seems very unlikely that an attacker could exploit an encoder bug in VLC in any case.
Rémi Denis-Courmont
https://www.remlab.net/
Private messages soliciting support will be systematically discarded

WinnieW
Blank Cone
Blank Cone
Posts: 12
Joined: 16 Jul 2011 01:06

Re: Webp 0 day vulnerability patch

Postby WinnieW » 30 Sep 2023 13:42

I'm no expert when it comes to this,
but the developers released libvpx 1.13.1
two security related fixes are listed.

https://chromium.googlesource.com/webm/ ... gs/v1.13.1

Why are web browsers affected by this security flaw? They decode video, they don't encode video. :?

Rémi Denis-Courmont
Developer
Developer
Posts: 15266
Joined: 07 Jun 2004 16:01
VLC version: master
Operating System: Linux
Contact:

Re: Webp 0 day vulnerability patch

Postby Rémi Denis-Courmont » 30 Sep 2023 19:25

Browsers do encode video notably for videoconferencing purposes.
Rémi Denis-Courmont
https://www.remlab.net/
Private messages soliciting support will be systematically discarded

WinnieW
Blank Cone
Blank Cone
Posts: 12
Joined: 16 Jul 2011 01:06

Re: Webp 0 day vulnerability patch

Postby WinnieW » 30 Sep 2023 20:56

Yeah, you are right. I didn't think about that.

But VLC Player can also encode video (in VP8), can't it? And there is no problem in this case?


Return to “VLC media player Feature Requests”

Who is online

Users browsing this forum: No registered users and 20 guests