Webp 0 day vulnerability patch

[jediknight36]

Hey all, I joined specifically to ask about the recent Webp 0 day patch revealed eariler this month. Some information about it is listed here: https://www.cyberkendra.com/2023/09/web ... e-for.html

On the list they reference from wikipedia, it lists VLC as an application that relies on this library of software. I checked and VLC hasnt been updated since last year, it looked like. Is there a planned update to patch this?

[Rémi Denis-Courmont]

VLC normally uses libvpx to decode WebP.

In fact, libwebp is not directly supported by VLC, and it is also not included in VLC contribs, meaning that it is not part of official VLC binaries released on VideoLAN.org. So there are no plans to make any patch, because there is nothing to patch.

[jediknight36]

Fantastic. I appreciate it

[zfuss-litc]

Hi Rémi, appeciate your hard work on VLC.

Could you comment on a similar CVE that affects libvpx? https://nvd.nist.gov/vuln/detail/CVE-2023-5217

Similar to how the libwebp vulnerability (CVE-2023-4863) was first handled, I believe Google has mistakenly marked this as affecting only Chrome. A confirmation one way or the other would be fantastic.

Thanks

[Rémi Denis-Courmont]

That is being worked on, but as far as is known, this only affects encoding not decoding. So it is a very minor concern in the context of VLC: You would not encode VP8 without knowing, and it seems very unlikely that an attacker could exploit an encoder bug in VLC in any case.

[WinnieW]

I'm no expert when it comes to this,
but the developers released libvpx 1.13.1
two security related fixes are listed.

https://chromium.googlesource.com/webm/ ... gs/v1.13.1

Why are web browsers affected by this security flaw? They decode video, they don't encode video. :?

[Rémi Denis-Courmont]

Browsers do encode video notably for videoconferencing purposes.

[WinnieW]

Yeah, you are right. I didn't think about that.

But VLC Player can also encode video (in VP8), can't it? And there is no problem in this case?