Welcome to TalkGraphics.com
Page 1 of 2 12 LastLast
Results 1 to 10 of 13
  1. #1
    Join Date
    Apr 2012
    Location
    SW England
    Posts
    18,448

    Question WebP Vulnerability

    @Xara, a critical vulnerability was identified on 06/25/28 Sep 2023 for the LibWebP library that you use in Pro+:
    "WebP support uses the libwebp library, Copyright (c) 2010, Google Inc. The license [sic] is webp.txt in the HelpAndSupport folder of your Xara Designer software installation".

    Have you patched your instance?
    The current 2010 copyright statement is not encouraging.
    https://www.tarlogic.com/blog/cve-2023-4863/:
    "Although initially the vulnerability CVE-2023-4863 was assigned to Google Chrome, it really affects the library LibWebP. That’s why on September 25th, a new dedicated CVE identifier was created, the CVE-2023-5217. It is the same vulnerability but assigned to the library instead of Google Chrome browser exclusively. Also, Google assigned the highest criticality possible to this new identifier, with a CVSS3.1 score of 10."
    (https://nvd.nist.gov/vuln/detail/CVE-2023-5217)
    Acorn
    Acorn - installed Xara software: Cloud+/Pro+ and most others back through time (to CC's Artworks). Contact for technical remediation/consultancy for your web designs.
    When we provide assistance, your responses are valuable as they benefit the community. TG Nuggets you might like. Report faults: Xara Cloud+/Pro+/Magix Legacy; Xara KB & Chat
    IP

  2. #2
    Join Date
    Aug 2000
    Location
    Placitas, New Mexico, USA
    Posts
    41,650

    Default Re: WebP Vulnerability

    What does this mean in plain English?
    IP

  3. #3
    Join Date
    Feb 2007
    Location
    UK
    Posts
    21,567

    Default Re: WebP Vulnerability

    hackers can build webpages that can inject [download] malware onto a visitors device when they view a WebP image

    exactly how that relates to xara software, is for acorn....
    -------------------------------
    Nothing lasts forever...
    IP

  4. #4
    Join Date
    Apr 2012
    Location
    SW England
    Posts
    18,448

    Default Re: WebP Vulnerability

    Quote Originally Posted by handrawn View Post
    hackers can build webpages that can inject [download] malware onto a visitors device when they view a WebP image
    exactly how that relates to xara software, is for acorn....
    It could infect you if you open a malicious WepP in Pro+.

    Acorn
    Acorn - installed Xara software: Cloud+/Pro+ and most others back through time (to CC's Artworks). Contact for technical remediation/consultancy for your web designs.
    When we provide assistance, your responses are valuable as they benefit the community. TG Nuggets you might like. Report faults: Xara Cloud+/Pro+/Magix Legacy; Xara KB & Chat
    IP

  5. #5
    Join Date
    Aug 2000
    Location
    Placitas, New Mexico, USA
    Posts
    41,650

    Default Re: WebP Vulnerability

    Hmm? Does not sound good.
    IP

  6. #6

    Default Re: WebP Vulnerability

    Even if Xara applications are invulnerable to an infected WebP image, assuming one uses such an image and could pass it along untouched to a website build/update, it would then be possible that site can infect others or the designer's computer viewing the page they built unless both parties are using up to date browsers / browser components.
    IP

  7. #7
    Join Date
    Feb 2007
    Location
    UK
    Posts
    21,567

    Default Re: WebP Vulnerability

    Quote Originally Posted by Acorn View Post
    It could infect you if you open a malicious WepP in Pro+.

    Acorn
    as I thought, thanks
    -------------------------------
    Nothing lasts forever...
    IP

  8. #8
    Join Date
    Sep 2000
    Location
    London, England
    Posts
    423

    Default Re:WebP Vulnerability

    We frequently update libraries. While we accessed this to be a very low risk vulnerability, the LibWebP is already scheduled to be updated in the next release of the desktop products. Note that the copyright notice in the latest version of the LibWebP source files direct from Google still says 2010, so that isn't a specific cause for concern.

    Have a good weekend.
    Matt

    [I am not sure why Matt, but your response to this thread was moderated and some of the foreign characters that appear in Russian spammer posts appeared in the title of your response. I replaced the title in your post and removed your response from moderation. Gary]
    IP

  9. #9
    Join Date
    Apr 2012
    Location
    SW England
    Posts
    18,448

    Default Re: WebP Vulnerability

    Sneaking in under Matt's Closed Thread radar...

    ...the WebP vulnerability has now been patched in Xara Designer Pro+ 23.5.0.68069 SL x64 Nov 13 2023 and probably other Plus products.

    Acorn
    Last edited by Acorn; 15 November 2023 at 04:58 PM.
    Acorn - installed Xara software: Cloud+/Pro+ and most others back through time (to CC's Artworks). Contact for technical remediation/consultancy for your web designs.
    When we provide assistance, your responses are valuable as they benefit the community. TG Nuggets you might like. Report faults: Xara Cloud+/Pro+/Magix Legacy; Xara KB & Chat
    IP

  10. #10
    Join Date
    Sep 2000
    Location
    London, England
    Posts
    423

    Default Re: WebP Vulnerability

    Quote Originally Posted by Acorn View Post
    Sneaking in under Matt's Closed Thread radar...

    ...the WebP vulnerability has not been patched in Xara Designer Pro+ 23.5.0.68069 SL x64 Nov 13 2023 and probably other Plus products.

    Acorn

    Please clarify
    IP

 

 

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •