Hi,
Please confirm whether GIMP is affected by CVE-2023-5129 (CVE-2023-4863) - specifically the libwebp package. If so, when will a patch be available?
Thank you for your prompt attention in this matter.
Regards,
Benton
Its not gimp’s job to patch webp, but whoever maintains the package that you’re using. So the answer is: depends on what you’re using.
1 Like
Understood. Just trying to confirm whether GIMP includes the libwebp package in the install. If so, would GIMP update libwebp to version 1.3.2 which has the vulnerability fix?
Did you even read my reply?
Sorry if I misunderstood. Are you saying GIMP will not be updating the libwebp DLLs with a version that contains the vulnerability fix?
What OS are you using?
Windows 10
The stable version will likely update at some point but hasn’t been updated yet.
Thanks. Will there be an approximate timeline? My company is looking to update the product as soon as possible since this particular vulnerability has maximum CVSS score of 10.
Your company should patch it themselves if they’re really that worried. Honestly pushing for unpaid volunteers to do work so you can ship something to make money is gross.
2 Likes
I understand the importance of this vulnerability but the target are mainly browsers. Which makes sense because this format means to be better for the web (better compression and quality as far as I know), hence the first consumers are browsers.
On the other hand there are raster editors, like GIMP, which are used to create these images (but not to consume on the wild where the risk is).
Out of curiosity, how does it creates that rush in your company because of GIMP?
Do not get me wrong, I consider this should be addressed of course, I just want to understand where the panic come from.
Thanks
1 Like
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
“Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)” - So the risk here is that if you open a malicious webp file, it may be able to escape memory bounds. This is a greater risk for a browser since a page could have an “invisible” but malicious webp file referenced.
- Are you actually opening webp files? If the answer is no, you have no risk.
- If you are opening webp files, are they only from trusted sources? If the answer is yes, you have no risk. If the answer is no - why are you editing random webp files from untrusted sources?
- The CVSS score is 8.8, not 10 per the link above
- CVSS scores are well documented to be bullshit. CVE-2020-19909 is everything that is wrong with CVEs | daniel.haxx.se and curl - Bogus report filed by anonymous - CVE-2020-19909 for example - people need to apply critical thinking skills to determine whether or not a vulnerability is ACTUALLY critical.
3 Likes
First off, I appreciate the understanding. My company treats vulnerability with significant visibility especially one that is considered critical. Our department deploy the software for use, and is hard to tell if user’s workflow involves webp or not, but as a precaution and per our security policy that high vulnerability be mitigated as soon as possible. Hope this helps clarify.
1 Like
Thanks 
In my company we have had a couple of updates this week and I guess that one of them was related to it.
I could not find any issue in the repository, perhaps you can create one for awareness: Issues · GNOME / GIMP · GitLab
Bye!
Initial short term mitigation:
Instruct users to not open webp files with the current version
If they NEED to open webp files, ensure they only open them from trusted sources. Frankly if the need to be told to do this, you need to have some additional discussions about why they are editing random webp files from untrusted/random sources - even if you fix libwebp you still potentially have legal exposure to a copyright claim here
Longterm mitigation: When a new packaging of GIMP for Windows is released, install that - I’m assuming that the GIMP packaging team is working on this.
1 Like
Hi! The issue is being tracked here: New package revisions for libwebp vulnerability (#9986) · Issues · GNOME / GIMP · GitLab
Yeah… It should be updated, but it’s not critical or urgent for graphics software IMHO, relax
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
It’s critical for web browser yes.