Technical blog

Release note for ARender 4.8.0

CVE-2023-4863 - Vulnerability in Google's libwebp library

The ARender team presents a security review article about Google's libwebp library.

Context


Recently, a critical Zero-Day vulnerability has been discovered in webmproject/libwebp library from Google (CVE-2023-4863) relating to a maliciously formed WebP image which allows for remote code execution and out-of-bounds write through a buffer overflow attack in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2.

This critical vulnerability is not limited to Chromium but impacts any software using libwebp library.

Is ARender affected by this security vulnerability?


In regards to ARender, it is indirectly impacted by this security issue as it uses third-party tools to process documents such as LibreOffice and ImageMagick.

The Document Foundation released two security updates for its popular LibreOffice open-source office suite, 7.6.2 and 7.5.7, to address the recently disclosed vulnerability in the WebP codec.

ImageMagick released 7.1.1-17 to address the critical security issue.

How to mitigate this security vulnerability?


To mitigate this issue, we urge you to do the following upgrades:
On Windows:
- Upgrade LibreOffice to 7.6.2 or 7.5.7
- Upgrade ImageMagick to 7.1.1-17 or above

On Linux:
- Upgrade libwebp library to 1.3.2

Conclusion


ARender is affected indirectly by the recent vulnerability discovered in Google's libwebp library due to the fact that ARender Rendition uses third-party tools such as LibreOffice or ImageMagick to process documents.
But this issue can be mitigated by upgrading the affected software.

Links