We're evolving to serve you better! This current forum has transitioned to read-only mode. For new discussions, support, and engagement, we've moved to GitHub Discussions.

webp 0day

September 28, 2023 at 12:49 pm #10637

[anonymous]

Hey guys,

Have you seen this : https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-imageio-webp-zero-days ?

Possible that you need to check for electron’s update (and maybe other lib w/ some img management ?) to provide an update of Publii embarking the security fixes once they’re published.

September 28, 2023 at 1:15 pm #10638

[anonymous]

Hi,

Thank you for mentioning this

Tomorrow we want to publish files of Publii v.0.43 and fortunately as I see two dependencies will solve this issue (Electron and sharp) – it will be upgraded to the newest possible versions.

Fortunately due Publii nature this bug has limited impact, because firstly user has to use WebP image from untrusted source. I do not see a way to evaluate it remotely as e.g. in 1password where some other user from the shared vault could change a vault image to an affected one and then attack other users of the vault.