WebP format has security issues

*** Please report new bugs here! ***

Moderators: XnTriq, helmut, xnview, Dreamer

User avatar
masterjp
Posts: 449
Joined: Fri Feb 13, 2009 4:37 pm
Location: Duesseldorf, Germany

WebP format has security issues

Post by masterjp »

There is a security issue in webp format, which can produce a heap overflow.
All photo progams use an old webp library, which has this bug.
I think me must wait until the developer of the webp library has fixed the bug.

https://securityboulevard.com/2023/09/p ... tical-bug/

https://www.techtarget.com/searchsecuri ... nerability
PC: Intel 8700k + Asus Z370-F + 16 GB RAM G.Skill + Asus RTX 3050 OC + Samsung SSD
OS: Windows 10 Pro 64bit 22H2 |
GFX: XN-View 2.51.6 | XnViewMP 1.8.0 | XnConvert 1.100.1 | Adobe Photoshop Elements 2024 | Elements XXL 11 | Paint.Net
User avatar
xnview
Author of XnView
Posts: 44490
Joined: Mon Oct 13, 2003 7:31 am
Location: France

Re: WebP format has security issues

Post by xnview »

it's fixed in libwebp v1.3.2
Pierre.
viewerr
Posts: 2
Joined: Sun Sep 17, 2023 12:33 am

Re: WebP format has security issues

Post by viewerr »

xnview wrote: Fri Sep 15, 2023 6:05 am it's fixed in libwebp v1.3.2
how do we install it?
I heard there are already exploits out there with prepared webp images?!
User avatar
masterjp
Posts: 449
Joined: Fri Feb 13, 2009 4:37 pm
Location: Duesseldorf, Germany

Re: WebP format has security issues

Post by masterjp »

It is not possible to replace the libwebp.dll by yourself.
In the past you could use the library of XnConvert, if it used a newer library.

Please wait until the next release of XnviewMP.

P.S.: IrfanView 4.62 has the latest bug fixed webp 1.32. But you must install it manually.
It is not compatible with Xnviewmp.
PC: Intel 8700k + Asus Z370-F + 16 GB RAM G.Skill + Asus RTX 3050 OC + Samsung SSD
OS: Windows 10 Pro 64bit 22H2 |
GFX: XN-View 2.51.6 | XnViewMP 1.8.0 | XnConvert 1.100.1 | Adobe Photoshop Elements 2024 | Elements XXL 11 | Paint.Net
User avatar
xnview
Author of XnView
Posts: 44490
Joined: Mon Oct 13, 2003 7:31 am
Location: France

Re: WebP format has security issues

Post by xnview »

please try to replace with this version
Pierre.
viewerr
Posts: 2
Joined: Sun Sep 17, 2023 12:33 am

Re: WebP format has security issues

Post by viewerr »

xnview wrote: Thu Sep 21, 2023 6:58 am please try to replace with this version
thanks!
seems to work :)
User avatar
masterjp
Posts: 449
Joined: Fri Feb 13, 2009 4:37 pm
Location: Duesseldorf, Germany

Re: WebP format has security issues

Post by masterjp »

Wonderful! Thank you so much! :D
PC: Intel 8700k + Asus Z370-F + 16 GB RAM G.Skill + Asus RTX 3050 OC + Samsung SSD
OS: Windows 10 Pro 64bit 22H2 |
GFX: XN-View 2.51.6 | XnViewMP 1.8.0 | XnConvert 1.100.1 | Adobe Photoshop Elements 2024 | Elements XXL 11 | Paint.Net
kesdoputr
Posts: 6
Joined: Sun Mar 09, 2008 4:51 pm

Re: WebP format has security issues

Post by kesdoputr »

xnview wrote: Thu Sep 21, 2023 6:58 am please try to replace with this version
Hello, is the webp plugin has 32bits?
XnView MP x64 newest version is 1.6.2 with libwebp 1.3.2
but XnView MP x32 newest version is 1.5.5 and the libwebp still 1.3.0

Thanks for your reading.

ps.A suggestion, nconvert x64 now include webp plugin but x32 don't, maybe it's better that nconvert x32 also include the webp plugin. :D
User avatar
xnview
Author of XnView
Posts: 44490
Joined: Mon Oct 13, 2003 7:31 am
Location: France

Re: WebP format has security issues

Post by xnview »

kesdoputr wrote: Thu Nov 23, 2023 3:47 pm Hello, is the webp plugin has 32bits?
XnView MP x64 newest version is 1.6.2 with libwebp 1.3.2
but XnView MP x32 newest version is 1.5.5 and the libwebp still 1.3.0
Here is with this version
ps.A suggestion, nconvert x64 now include webp plugin but x32 don't, maybe it's better that nconvert x32 also include the webp plugin. :D
ok
Pierre.
kesdoputr
Posts: 6
Joined: Sun Mar 09, 2008 4:51 pm

Re: WebP format has security issues

Post by kesdoputr »

xnview wrote: Fri Nov 24, 2023 9:04 am
kesdoputr wrote: Thu Nov 23, 2023 3:47 pm Hello, is the webp plugin has 32bits?
XnView MP x64 newest version is 1.6.2 with libwebp 1.3.2
but XnView MP x32 newest version is 1.5.5 and the libwebp still 1.3.0
Here is with this version
ps.A suggestion, nconvert x64 now include webp plugin but x32 don't, maybe it's better that nconvert x32 also include the webp plugin. :D
ok
Thanks for the reply, it works great. :D