[RootZombie]

Hey guys,

Have you seen this :  https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-imageio-webp-zero-days ?

Possible that you need to check for electron’s update (and maybe other lib w/ some img management ?) to provide an update of Publii embarking the security fixes once they’re published.

 

[Tomasz Dziuda]

Hi,

Thank you for mentioning this

Tomorrow we want to publish files of Publii v.0.43 and fortunately as I see two dependencies will solve this issue (Electron and sharp) – it will be upgraded to the newest possible versions.

Fortunately due Publii nature this bug has limited impact, because firstly user has to use WebP image from untrusted source. I do not see a way to evaluate it remotely as e.g. in 1password where some other user from the shared vault could change a vault image to an affected one and then attack other users of the vault.

--
Do you appreciate the support you've received today? If so, consider donating to the Publii team by clicking here; we'll be sure to use your donation to make Publii even better!

[Author]

Posts