Dear Maintainer, It might be too late for bullseye(?), but libwebp-1.2.0 is now out - as before: https://chromium.googlesource.com/webm/libwebp/+/refs/heads/master/NEWS
I'm concerned about the state of WebP. The upstream code Debian/Ubuntu's distribution is based on is now over four years old. Since then (and shortly after the last update of this package on 1 March 2018), oss-fuzz was implemented, which led to the discovery of several issues and resulting security hardening fixes as mentioned in the release notes, which are now public - and have been for a year. A few examples: https://bugs.chromium.org/p/webp/issues/detail?id=383 [multi-byte-write-heap-buffer-overflow] https://bugs.chromium.org/p/webp/issues/detail?id=385 [multi-byte-write-heap-use-after-free, thread race] https://bugs.chromium.org/p/webp/issues/detail?id=386 [1-byte-read-heap-buffer-overflow] https://bugs.chromium.org/p/webp/issues/detail?id=387 [chunk_size overflows in SizeWithPadding, allocates 4GB] https://bugs.chromium.org/p/webp/issues/detail?id=388 [multi-byte-read (4GB) - same as above] https://bugs.chromium.org/p/webp/issues/detail?id=391 [found in GraphicsMagick] None appear to have CVEs, but they appear to be real issues. Some were subject to multi-year security holds and only revealed in February 2020. Some would not have applied to Chromium (it did not use threaded mode), but could impact other users, e.g.: https://bugs.chromium.org/p/chromium/issues/detail?id=917029 This software is liable to be used on files with arbitrary inputs, both on client and web-accessible server machines, so DoS issues are a concern. It's in PHP 7.x (via GD) python-pil, imagemagick, chromium, libqt5webkit5, libavcodec58, etc. I don't know enough about their use of this library to know if any of the bugs found are issues for them, but it seems at least possible that some of them are. I'm considering use of WebP on my own art hosting site, as it has become widely usable in browsers, but I'm nervous about the idea of integrating this version of the library into our image handling pipeline. Is an update to a newer version feasible? I'm OK using sid for this, though others might not be. Alternatively, is there a way as an end-user to easily modify the package to use newer versions? Best regards, -- Laurence "GreenReaper" Parry https://www.greenreaper.co.uk/
