WebP CVE-2023-4863 #4411
Comments
|
I don't know if the bootstrap script is needed. But as the dependencies for the dev builds are managed via vcpkg and usually have the latest release of a library, mapnik can already use libwebp 1.3.2 and gdal 3.7.2 |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A relatively high severity CVE-2023-4863 was recently reported, affecting lossless WebP decompression. It appears to me that there may be two routes by which mapnik may be vulnerable. The first is dependency on libwebp 0.6.0:
mapnik/bootstrap.sh
Line 61 in f391178
and the second is dependence on libgdal 2.2.3:
mapnik/bootstrap.sh
Line 62 in f391178
Both dependencies have been patched, with [email protected] and [email protected] containing patched libwebp. I'm a little concerned about the effort which adopting the patches may entail, as both dependencies involve a major version bump.
Is there action we can take or guidance you can offer which may facilitate successful adoption of patched libwebp and subsequent publishing of a patched mapnik library?
(I will follow up on that repo later, but node-mapnik would presumably also need a patch once mapnik is updated.)
The text was updated successfully, but these errors were encountered: