[GHSA-j7hp-h8jx-5ppr] libwebp: OOB write in BuildHuffmanTable

[pshelton-skype]

Updates

• Affected products

Comments
Magick.NET consumed the updated libwebp in version 13.3.0 per dlemstra/Magick.NET#1440, https://github.com/dlemstra/Magick.NET/milestone/67?closed=1

[darakian]

Hey, thanks for the suggestion, but I'm not seeing that nuget package
https://www.nuget.org/packages/Magick.NET
404s on me

[pshelton-skype]

Looks like a case-sensitive search? https://www.nuget.org/packages?q=magick.net lists a bunch of different build outputs.

[darakian]

I believe they're all different artifacts with different names. Can you confirm which are affected?

[pshelton-skype]

@darakian - sorry about that. Should be updated now.

[darakian]

Many thanks. One more ask if I may; can you provide some evidence on why those packages? Fix commits, changelogs, something like that would be awesome 👍

[pshelton-skype]

@darakian - Magick.NET version 13.3.0 consumes ImageMagick 7.1.1-17 (2023-09-19). Per discussion comments from the author in ImageMagick/ImageMagick#6664, libwebp version 1.3.2 was consumed in ImageMagick 7.1.1-17. It's a little complicated for me to follow, too.

[darakian]

Ya, that is a bit terse :(
I think the lower bound of zero is probably inaccurate, but taking a quick look I can't really figure out when webp was introduced, so I suppose we run with it for the time being. Thanks 👍

[advisory-database]

Hi @pshelton-skype! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!