this post was submitted on 26 Sep 2023
19 points (91.3% liked)

Liftoff!

4352 readers
1 users here now

A mobile client for Lemmy running on iOS and Android

founded 1 year ago
MODERATORS
 

I recently saw an article (https://stackdiary.com/heap-buffer-overflow-in-libwebp-cve-2023-5129/) that said WEBP images could be a huge security hole right now and I know Lemmy uses a lot of WEBP images.

I'm not sure how long this has been known, so maybe the Liftoff devs already took care of it. Does anyone know if Liftoff has already made the necessary patches?

you are viewing a single comment's thread
view the rest of the comments
[–] henfredemars@infosec.pub 1 points 1 year ago* (last edited 1 year ago)

I must disagree. The information is public and there are many sources that describe how to construct such a file that can trigger the heap buffer overflow. You don't need to understand all the theory to cause the overflow.

I don't think it's that complicated. I'm sure it will be used as an N-day for a long time.

The key to effective exploitation is learning to understand deeply only those parts that require deep understanding.