Page 1 of 1
Webp 0 day vulnerability patch
Posted: 28 Sep 2023 22:19
by jediknight36
Hey all, I joined specifically to ask about the recent Webp 0 day patch revealed eariler this month. Some information about it is listed here:
https://www.cyberkendra.com/2023/09/web ... e-for.html
On the list they reference from wikipedia, it lists VLC as an application that relies on this library of software. I checked and VLC hasnt been updated since last year, it looked like. Is there a planned update to patch this?
Re: Webp 0 day vulnerability patch
Posted: 29 Sep 2023 19:21
by Rémi Denis-Courmont
VLC normally uses libvpx to decode WebP.
In fact, libwebp is not directly supported by VLC, and it is also not included in VLC contribs, meaning that it is not part of official VLC binaries released on VideoLAN.org. So there are no plans to make any patch, because there is nothing to patch.
Re: Webp 0 day vulnerability patch
Posted: 29 Sep 2023 19:26
by jediknight36
Fantastic. I appreciate it
Re: Webp 0 day vulnerability patch
Posted: 29 Sep 2023 23:24
by zfuss-litc
Hi Rémi, appeciate your hard work on VLC.
Could you comment on a similar CVE that affects libvpx?
https://nvd.nist.gov/vuln/detail/CVE-2023-5217
Similar to how the libwebp vulnerability (CVE-2023-4863) was first handled, I believe Google has mistakenly marked this as affecting only Chrome. A confirmation one way or the other would be fantastic.
Thanks
Re: Webp 0 day vulnerability patch
Posted: 30 Sep 2023 10:35
by Rémi Denis-Courmont
That is being worked on, but as far as is known, this only affects encoding not decoding. So it is a very minor concern in the context of VLC: You would not encode VP8 without knowing, and it seems very unlikely that an attacker could exploit an encoder bug in VLC in any case.
Re: Webp 0 day vulnerability patch
Posted: 30 Sep 2023 13:42
by WinnieW
I'm no expert when it comes to this,
but the developers released libvpx 1.13.1
two security related fixes are listed.
https://chromium.googlesource.com/webm/ ... gs/v1.13.1
Why are web browsers affected by this security flaw? They decode video, they don't encode video. :?
Re: Webp 0 day vulnerability patch
Posted: 30 Sep 2023 19:25
by Rémi Denis-Courmont
Browsers do encode video notably for videoconferencing purposes.
Re: Webp 0 day vulnerability patch
Posted: 30 Sep 2023 20:56
by WinnieW
Yeah, you are right. I didn't think about that.
But VLC Player can also encode video (in VP8), can't it? And there is no problem in this case?