On 9/27/2023 8:50 AM, Caleb Coverdale wrote:
Hey there,
I was wondering if ApacheGuacamole was susceptible to the webp exploit
that was announced. I see in the Guacamole Server code that it is using
WebP as the encoder, so I assume that it may be?
https://github.com/apache/guacamole-server/blob/master/src/libguac/encode-webp.c
<https://github.com/apache/guacamole-server/blob/master/src/libguac/encode-webp.c>
No. CVE-2023-4863 (aka CVE-2023-5129) deals specifically with decoding
WebP images, not encoding.
You would also receive updates to libwebp from your distribution as the
library itself is not bundled within Guacamole. If using our Docker
images, the images are automatically rebuilt nightly to bring in updates
from the maintainer of the base image (Alpine Linux), and a pull of the
latest would give you an updated image.
- Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
