> <https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/> > > A bug was found (painfully -- a zero day) in Apple's Safari and > (separately) in Google's Chrome. This is a pretty serious bug -- it was > used to spy on an opposition politician in Egypt. > > It is the same bug, and this was not reported. > > It turns out that the bug is in libwebp. "WebP codec is a library to > encode and decode images in WebP format." > > libwebp is used in a lot of programs. On my Fedora 38 system, it is a > shared library so it can be fixed in one update. Except where the library > is copied (for example, statically linked, or used in a container of some > sort). > > Electron is one thing that requires copies and the article lists a lot of > applications built on Electron > > What a mess. What a mistake.
By shared libraries you dont mean libsomething.so, right? You mean everybody in the world using code they got from Somebody. Im just a little worried these days about the new .avif format. ImageMagick handles it in the Debian12 distribution, but it hasnt made it to the current Raspberry Pi OS. A libavif exists, but seems to be controversial and hard to find. Everybodys choice of fallback seems to be libheif. libheif depends on libde265. libde265 is said to have no dependencies, but wouldnt (IIRC) install without finding something involving SSL2. Finally, ImageMagick was built, but libheif wont actually do anything without a separate codec, which it can obtain from libaom. The libaom from a Google git site throws up fatal compile errors. So there I am. So the question arose in my mind What the heck IS this stuff? Since its 3AM and my mind is freewheeling I ponder If I were a well-funded system attacker, dont new image file formats look like a fine way to get everybody to install brand new kind-of-obscure library code (libaom.so on Debian12 is 5 megabytes) without asking embarrassing questions? --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk