I recently saw an article (https://stackdiary.com/heap-buffer-overflow-in-libwebp-cve-2023-5129/) that said WEBP images could be a huge security hole right now and I know Lemmy uses a lot of WEBP images.

I’m not sure how long this has been known, so maybe the Liftoff devs already took care of it. Does anyone know if Liftoff has already made the necessary patches?

  • Illecors
    link
    fedilink
    English
    191 year ago

    The vulnerability is fixed within pict-rs, which is part of lemmy instance default setup. It’s such a coincidence that I’ve just updated it on mine.

    TL;DR - it is not up to liftoff to fix it.

    • @MeatAndSarcasmGuyOP
      link
      English
      61 year ago

      Oh that’s interesting. I thought it would be through the app, since the article mentioned being patched in browsers; so that’s definitely good to know.