libwebp vuln

analrapist · Sep 30, 2023

Gamerfag panda brought CVE-2023-4863 ( https://nvd.nist.gov/vuln/detail/CVE-2023-4863 ) to my attention ( https://twitter.com/GamingAndPandas/status/1707987314708775181 ).

Apparently, particularly crafted WEBP images can be used to exploit anything linked to the library libwebp, which includes things like Chrome and derivatives, Firefox, Discord, et cetera. It was patched within a week by Debian (on -security repos, vanilla is still vulnerable), but I guess there's a new wave of exploits, and other platforms care less about security.

Given that this site is highly adversarial, it might behoove administration to temporarily disable WEBP images? IDK. I'm a white hat, not a black hat. I don't see anyone else talking about this, so I reckoned it might be worth mentioning.

Any black or grey hats here who care to calm my concerns? Pandafag isn't known for hysteria.

CognitiveDeficiency · Sep 30, 2023

Big if true

Grub · Sep 30, 2023

You can upload webp's here? They never work for me I always have to convert them to .jpg or .png first to upload them on kf.

DumbDude43 · Sep 30, 2023

total webp death
i hate that image format like you wouldn't believe

analrapist · Sep 30, 2023

Grub said:
You can upload webp's here? They never work for me I always have to convert them to .jpg or .png first to upload them on kf.

Best case scenario, IMO. Thanks for mentioning. I avoid them like the plague also. (Seems like you can attach them, but they won't display. Great. Attached is nothing malicious, just a screenshot of Prusa Slicer.)

Apparently, this hits the Electron apps like Discord worse as users don't understand that they're browsers that need updating.

BirdUp · Sep 30, 2023

bmp master race

Ronnie McNutt · Sep 30, 2023

bird.up said:
bmp master race

i'm more of a ppm kind of guy honestly

SIGSEGV · Sep 30, 2023

analrapist said:
patched within a week by Debian (on -security repos, vanilla is still vulnerable)

Feels good man.

Slav Power · Sep 30, 2023

The forum uses WebP for various images such as avatars, UI elements and so on. Technically speaking, WebP is a good format, as you can make animated images with better quality and lower filesize than GIF for example.

And if anyone will tell me that GIF is a good image format, they're a retard. It's an anomaly that should've been long superseeded by something better, such as animated PNG, but alas, the whole web is still using a format that has horrendous dithering and uses up an insane amount of disk space to show something that other formats do at a much smaller file size while also having better quality.

However the big issue is the low adaptation of the format, and the issue with that is that it's a really patchy issue. For example, WebP and WebM are sister open file formats developed by Google as a modern web oriented replacement for the legacy media formats. WebM has a high adaptation rate and people generally don't have an issue with it, but WebP isn't, so people hate it even though it is a good format, and if something supports WebM, it should support WebP.

But this issue is even more autistic than that. For example JFIF. It's basically a JPEG but with extra metadata, and it's as old as JPEG itself. Yet modern software have an issue with loading and displaying JFIFs, even though Internet Explorer on Windows 95 can load that file format flawlessly.

Another example, APNG:

This is a format that's 15 years old and is superior to GIF, yet it still has issues with support in certain programs. It might be possible you'll see a static ball while it should be bouncing.

Or, you know, old bitmap files. Modern browsers and software have issues supporting it, despite it being as old as JPEG, GIF, or PNG. And the list goes on.

Basically, we still rely on old formats, and some newer formats are technically superior to them, but for some reason they don't get universal support, and so do formats that stem from the legacy ones we rely on.

It's really stupid and I will stand by my words that WebP did nothing wrong, all the soydevs who can't even reliably support subformats of JPEG and PNG did everything wrong.

$80 Nude Haircut · Sep 30, 2023

WebP did everything wrong because it isn't convenient. You can't reupload these images you find/save anywhere. It's just an extra step forcibly implemented by annoying websites.

Slav Power · Sep 30, 2023

Ridley said:
WebP did everything wrong because it isn't convenient. You can't reupload these images you find/save anywhere. It's just an extra step forcibly implemented by annoying websites.

No, it's on the devs that make WebM work on absolutely fucking everything but refuse to do the same for WebP, even though both formats are open and there's nothing stopping them from making WebP as convenient as PNG or GIF. And there is no excuse, both WebM and WebP are open standards and there's nothing stopping them from implementing support for both.

It's like saying USB C is bad because it's not on everything. It's superior to all the older standards in every way. The connector is symmetrical, you can charge a laptop from it, you can run a monitor, network card, SD card reader and additional USB devices from a single cable. But to say it's bad because laptop manufacturers or case manufacturers don't add it to their products is ignorant, you should forward your annoyance to them instead of towards USB C itself.

The reason WebP isn't convenient is because of soydevs being braindead cucks who don't support it. If they can't implement support for JFIF which worked flawlessly on stock Windows 95, then they should be fired and never hired by anyone because they are incompetent retards.

$80 Nude Haircut · Sep 30, 2023

Slav Power said:
to say it's bad because laptop manufacturers or case manufacturers don't add it to their products is ignorant, you should forward your annoyance to them instead of towards USB C itself.

If WebP is rolled out onto every website yet no effort is invested into basic functionality then it has failed as a format. If I design the best car in the world but the price tag is in an awkward spot where average buyers can't afford it & luxury buyers don't see it as luxurious enough then the car is a failure. Functionally speaking all you accomplish by making your website's images WebP is giving users an extra step in saving them if they'd like to ever use that image. The worst thing you can be in technology is inconvenient. Well maybe second worst (the actual worst is developed by Indians.)

inception_state · Sep 30, 2023

analrapist said:
Apparently, this hits the Electron apps like Discord worse as users don't understand that they're browsers that need updating.

The main problem is that various applications might have old versions of libwebp that don't get patched. Eg. on linux I have a system copy of libwebp.so, which was patched. Theoretically that should be used by programs I install, but some choose to use their own version of libwebp. For example, browsers. Most mainstream browsers should at least be patched quickly, since that is the most security critical context for this vulnerability.

Then you have Electron apps, which are basically browsers. Those won't receive an update until the publisher of the Electron app gets around to it. Discord probably pushed a patch almost immediately, but there is a long tail of other Electron apps that have bare minimum support. Who knows how long it will take for those to get patched, if at all.

Then the really fun part is when you get into Android apps. What about Android devices that don't receive reliable updates after 3-5 years? Or apps that bundle their own vulnerable version of libwebp?

Vulnerabilities like this are a pain in the ass because they will keep popping up in unexpected places for months or years.

Epoch · Sep 30, 2023

Rozzy · Sep 30, 2023

How to disable webp in Firefox
about: config
image.webp.enabled toggle to false
Checked some websites and webp images replaced by jpeg images.

crowabunga · Sep 30, 2023

I don't dive deep into the web and I adblock, but I'm still skeeved to think I may have been compromised already. Got my fingers crossed that Linux is still niche enough that current exploits out in the wild are tailored to Apple and Microsoft products.

verymuchawful · Sep 30, 2023

Already patched. It never affected Discord because while it uses Electron/Chromium, it doesn't actually use the libwebp library. Try uploading an animated webp to Discord, it won't render.

UERISIMILITUDO · Oct 14, 2023

This flaw was caused by a lack of bounds checking. Apparently, they proved they wouldn't need to use more than a certain amount of state to store some information while decoding such files, but they did so incorrectly. Even in a program proven correct, there's little reason to remove checking during program execution, since it can then serve as protection against hardware faults.

For truly unnecessary checking, the compiler may remove such checks if it can prove them to be unnecessary, but they write this shit in the C or C++ languages, for which it's hard to have the compiler prove anything. Ada's a much better language.

Anyway, the so-called state of the art is pathetic, and Google is pathetic.

ZMOT · Oct 16, 2023

Slav Power said:
It's really stupid and I will stand by my words that WebP did nothing wrong, all the soydevs who can't even reliably support subformats of JPEG and PNG did everything wrong.

webp didn't, google (and other hosters) did forcing that shit on people to the point you have to use extensions to get the original source file.
besides, as you said apng is a thing for even longer, so why not push that instead - no, google had to push their own shit, and by now plenty of people treat google like microsoft where even potential good things get suspicion and rejection.

the reason weebum got broader adoption was replacing gifs as well, which relegates webp/apng to even more of a niche. file size is also a moot point when hosters shove several megabytes of js-frameworks for basic bitch navigation down people's throat. webp is also often lossy, which again given with current internet speed isn't really necessary either. another minor nitpick is that it can be both animated and static, sometimes you wanna know if the picture allows animation at all. (a)png is a much more obvious distinction.

also webp is a silly name and I would not have sex with it.

Rozzy said:
How to disable webp in Firefox
about: config
image.webp.enabled toggle to false
Checked some websites and webp images replaced by jpeg images.

doesn't always work and causes other issues. iirc one of them having no fallback, so if you don't allow webp you don't even see the image at all (because firefox just goes "I don't know what this is").

https://addons.mozilla.org/en-US/firefox/addon/dont-accept-webp/ usually works better.

libwebp vuln

analrapist

analyst/therapist

CognitiveDeficiency

Fresh Meat

Grub

DumbDude43

False & Lying Hater

analrapist

analyst/therapist

Attachments

BirdUp

The Worst Show on Television

Ronnie McNutt

Hey guys! I guess that's it.

SIGSEGV

Segmentation fault (core dumped)

Slav Power

I drink to forget.

$80 Nude Haircut

Big Daddy Bitch

Slav Power

I drink to forget.

$80 Nude Haircut

Big Daddy Bitch

inception_state

Epoch

Rozzy

DM chain friendly Kiwi invites are welcome.

crowabunga

If you're sneeding it, it's for you

verymuchawful

Enjoy prison, sticker child.

UERISIMILITUDO

UNA PERSONA AGRICOLARUM MIHI EST

ZMOT

wat