GHSA-f9pm-4g9p-6vm3: Bundled libwebp in pywebp vulnerable

Impact

pywebp versions before v0.3.0 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. The vulnerability was a heap buffer overflow which allowed a remote attacker to perform an out of bounds memory write.

Patches

The problem has been patched upstream in libwebp 1.3.2. pywebp was updated to bundle a patched version of libwebp in v0.3.0.

Workarounds

No known workarounds without upgrading.

References

• https://www.rezilion.com/blog/rezilion-researchers-uncover-new-details-on-severity-of-google-chrome-zero-day-vulnerability-cve-2023-4863/
• https://nvd.nist.gov/vuln/detail/CVE-2023-4863