Vulnerability in libwebp dependency, please upgrade sharp to 0.32.6 (CVE-2023-4863) #3798
Comments
|
To be able to use // tsconfig.json
{
"compilerOptions": {
// ...
"typeRoots": ["./node_modules/@types", "./src/typings"],
}
}// src/typings/sharp-extensions.d.ts
import "sharp";
declare module "sharp" {
export function block(options: { operation: string[] }): void;
} |
|
It looks like the fix is already there https://chromium.googlesource.com/webm/libwebp/+/refs/tags/v1.3.2 |
|
@ldrick Happy to accept a PR adding this definition to https://github.com/lovell/sharp/blob/main/lib/index.d.ts if you're able. |
|
lovell
changed the title
|
sharp 0.32.6 is now available and provides libwebp 1.3.2. Please upgrade, especially if you process untrusted input. |
It includes an important `sharp` dependency upgrade for a libwebp vulnerability. See: lovell/sharp#3798
|
Hi, @lovell There is no mention of this in the 0.32.6 changelog, is it possible to add it? |
|
@yisibl The changelog includes changes to sharp and the minimum supported version of libvips for those who prefer not to use prebuilt binaries. The versions of all dependencies provided in the prebuilt binaries are made available via I cannot list every change in every dependency every time, but I will open an issue on sharp and promote on social media if I'm aware of something that I think would make upgrading worthwhile, as is the case here. |
|
@lovell Would it be possible to list this within https://github.com/lovell/sharp/security and/or flag the vulnerable builds so that users of |
|
@natevw This vulnerability isn't in sharp itself, and isn't in anything published to npm either, but is rather in the binaries that sharp will probably download from the sharp-libvips GitHub Releases. It's yet another reason for the importance of #3750 as by publishing everything to the npm registry we can flag specific npm packages as vulnerable. Perhaps this would be better listed as part of GHSA-j7hp-h8jx-5ppr itself, which is backed by the data in https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-j7hp-h8jx-5ppr/GHSA-j7hp-h8jx-5ppr.json as that should result in |
As a user of this package, that seems a rather meaningless distinction? The vulnerability is that I have some older install of e.g. This is exactly the sort of thing Most people don't visit the issues tab here on this repo as part of their morning routine. Until the new work lands to give the underlying dependencies their own packages (👍 and props for that), I would argue that the "buck stops here" and would encourage you to more proactively alert any other users of the vulnerability which older versions of this package cause, since some might still be unaware. |
|
I was hoping we could re-use the existing GHSA-j7hp-h8jx-5ppr advisory as I didn't want to generate a new CVE via the sharp repo and confuse things. However it looks like it's now possible to create an advisory using an existing CVE, so please see GHSA-54xq-cgqr-rpm3 |
Overview
sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity CVE-2023-4863, which in turn is linked to CVE-2023-41064
You've probably noticed a lot of operating system and app updates during the last week, including iOS, Chrome, WhatsApp etc. and many of these updates relate to this same problem.
Who does this affect?
Almost anyone processing untrusted input with sharp.
How to resolve this?
Using prebuilt binaries provided by sharp?
Most people rely on the prebuilt binaries provided by sharp.
Please upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2.
Using a globally-installed libvips?
Please ensure you are using the latest libwebp 1.3.2.
Possible workaround
Add the following to your code to prevent sharp from decoding WebP images.
The text was updated successfully, but these errors were encountered: