Investigate libwebp CVE-2023-1999

[w-flo]

A double free (CVE-2023-1999) was fixed in libwebp in Firefox 112 and apparently Chrome, but there is not a lot of public info about this. Ubuntu 23.04 just updated the libwebp package to fix this issue. The same fix was applied upstream in February.

I would suggest applying this patch in libwebp-sys2-rs, too. Surprisingly, there is no 1.3.1 release yet, but the upstream 1.3.0 branch contains the fix and two other fixes (apparently for memleaks). Last update to that branch was in March without a release since then.

[w-flo]

The Chrome bug report is now public: https://bugs.chromium.org/p/chromium/issues/detail?id=1420107 Apparently, the vulnerability is difficult to trigger. It would require an out-of-memory error.

There is a libwebp-1.3.1-rc1 out now which fixes the vulnerability, so I guess 1.3.1 will be released soon (it was planned for last week).

[w-flo]

libwebp 1.3.1 is now public, and it looks like it fixes two more possible vulnerabilities (out-of-bounds heap buffer write): https://chromium.googlesource.com/webm/libwebp/+/c3bd7cff2e57b4bf1b744e70dd379570d83fb0e4 and https://chromium.googlesource.com/webm/libwebp/+/d49cfbb3487bb29aa38cc63f6a1dcc5ac29e47ca

The bug report (in Chromium) is "permission denied" for me.