WebP Vulnerability

**Acorn** · 02 November 2023, 02:44 PM

@Xara, a critical vulnerability was identified on 06/25/28 Sep 2023 for the LibWebP library that you use in Pro+:
"WebP support uses the libwebp library, Copyright (c) 2010, Google Inc. The license [sic] is webp.txt in the HelpAndSupport folder of your Xara Designer software installation".

Have you patched your instance?
The current 2010 copyright statement is not encouraging.
https://www.tarlogic.com/blog/cve-2023-4863/:
"Although initially the vulnerability CVE-2023-4863 was assigned to Google Chrome, it really affects the library LibWebP. That’s why on September 25th, a new dedicated CVE identifier was created, the CVE-2023-5217. It is the same vulnerability but assigned to the library instead of Google Chrome browser exclusively. Also, Google assigned the highest criticality possible to this new identifier, with a CVSS3.1 score of 10."
(https://nvd.nist.gov/vuln/detail/CVE-2023-5217)
Acorn

**gwpriester** · 02 November 2023, 05:39 PM

What does this mean in plain English?

**handrawn** · 02 November 2023, 06:33 PM

hackers can build webpages that can inject [download] malware onto a visitors device when they view a WebP image

exactly how that relates to xara software, is for acorn....

**Acorn** · 02 November 2023, 06:37 PM

Originally Posted by handrawn

hackers can build webpages that can inject [download] malware onto a visitors device when they view a WebP image
exactly how that relates to xara software, is for acorn....

It could infect you if you open a malicious WepP in Pro+.

Acorn

**gwpriester** · 02 November 2023, 07:15 PM

Hmm? Does not sound good.

**mwenz** · 02 November 2023, 07:47 PM

Even if Xara applications are invulnerable to an infected WebP image, assuming one uses such an image and could pass it along untouched to a website build/update, it would then be possible that site can infect others or the designer's computer viewing the page they built unless both parties are using up to date browsers / browser components.

**handrawn** · 02 November 2023, 07:52 PM

Originally Posted by Acorn

It could infect you if you open a malicious WepP in Pro+.

Acorn

as I thought, thanks

**webmaster** · 03 November 2023, 10:52 AM

We frequently update libraries. While we accessed this to be a very low risk vulnerability, the LibWebP is already scheduled to be updated in the next release of the desktop products. Note that the copyright notice in the latest version of the LibWebP source files direct from Google still says 2010, so that isn't a specific cause for concern.

Have a good weekend.
Matt

[I am not sure why Matt, but your response to this thread was moderated and some of the foreign characters that appear in Russian spammer posts appeared in the title of your response. I replaced the title in your post and removed your response from moderation. Gary]

**Acorn** · 15 November 2023, 03:13 PM

Sneaking in under Matt's Closed Thread radar...

...the WebP vulnerability has now been patched in Xara Designer Pro+ 23.5.0.68069 SL x64 Nov 13 2023 and probably other Plus products.

Acorn

**webmaster** · 15 November 2023, 03:44 PM

Originally Posted by Acorn

Sneaking in under Matt's Closed Thread radar...

...the WebP vulnerability has not been patched in Xara Designer Pro+ 23.5.0.68069 SL x64 Nov 13 2023 and probably other Plus products.

Acorn

Please clarify