Last active
October 2, 2023 05:59
-
-
Save Nachtalb/07766d2818c78aedaf43bd212193d955 to your computer and use it in GitHub Desktop.
Track CVE-2023-4863 affected libraries
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Name | Language | Uses libwebp | Affected Versions | Patched versions | Is Inline third-party | Is System dependency | Depends on | URLs | Comment | |
|---|---|---|---|---|---|---|---|---|---|---|
| libwebp | C | < 1.3.2 | 1.3.2 | Problemmaker | ||||||
| TwelveMonkeys | Java | No | https://github.com/haraldk/TwelveMonkeys/issues/822 | Selfmade in pure Java | ||||||
| libvips | C | Yes | < 8.14.5 | 8.14.5 | Yes | Yes | libwebp | https://github.com/libvips/libvips/discussions/3675#discussioncomment-7078199 | Bundled in Windows prebuilt otherwhise system dependency | |
| Sharp | JS | Yes | < 0.32.6 | 0.32.6 | Yes | No | libvips | https://github.com/lovell/sharp/issues/3798 | ||
| libwebp-rs | Rust | Indirectly | * | No | No | libwebp-sys2 | https://github.com/qnighy/libwebp-rs | |||
| webp | Rust | Indirectly | < 0.2.6 | 0.2.6 | No | Yes | libwebp-sys | https://github.com/jaredforth/webp/pull/30 | ||
| libwebp-sys | Rust | Yes | < 0.9.3 | 0.9.3 | Yes | No | https://github.com/NoXF/libwebp-sys/pull/23 | |||
| libwebp-sys2 | Rust | Yes | < 0.1.8 | 0.1.8 | Yes | No | https://github.com/qnighy/libwebp-sys2-rs/blob/572a436a7a1bf7234f5c92576fc40edba6c9ae7f/CHANGELOG.md | Fixed in 0.1.8 by using unreleased libwebp master, fixed in 0.1.9 by using released libwebp 1.3.2 | ||
| opencv | C++ | Yes | < 4.8.1 | 4.8.1 | Yes | No | https://github.com/opencv/opencv/pull/24274 | |||
| Imageio | Python | Indirectly | No | Yes | Pillow, pyav, OpenCV, WEBP-FI | |||||
| Pillow | Python | Yes | <10.0.1 | 10.0.1 | Yes | No | https://github.com/python-pillow/Pillow/pull/7395 | |||
| pyav | Python | Indirectly | No | Yes | ffmpeg | |||||
| webp-fi | C++ | Yes | * | Yes | No | Not updated since 2018 | ||||
| ffmpeg | C | Yes | >2.0 | Yes | libwebp > 0.2 | https://github.com/FFmpeg/FFmpeg/blob/8eb094adb2ac3b6ea1d2cdd0fdfc7b69b2084db9/configure#L6843 | Technically all as they only define "larger than version 0.2" | |||
| electron | JS | Yes | >= 22.0.0, < 22.3.24, >= 24.0.0, < 24.8.3, >= 25.0.0, < 25.8.1, >= 26.0.0, < 26.2.1, >= 27.0.0-beta.1, < 27.0.0-beta.2 | 22.3.24, 24.8.3, 25.8.1, 26.2.1, 27.0.0-beta.2 | Yes | No | https://chromium.googlesource.com/webm/libwebp.git/+log/6a319d4da395..4619a48fc329 | List of tracked electron apps: https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec | ||
| SkiaSharp | C# | Yes | >= 2.0.0, < 2.88.6 | 2.88.6 | Yes | No | https://github.com/mono/SkiaSharp/pull/2622, https://github.com/mono/SkiaSharp/pull/2623 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment