Replying to Avatar Gossip Client

GOSSIP USERS: SECURITY ALERT

There is an UNPATCHED vulnerability in libwebp that allows a malicious image to infect your computer. This affects gossip, as well as countless other programs.

Normally we wouldn't announce an active vulnerability until it is patched and there is a solution, but this news is already widespread.

Please go to your settings and uncheck "Render all media inline automatically". Only click to view media from people you trust.

We are working towards a better understanding of this, and a fix.

Please coorespond with nostr:npub1acg6thl5psv62405rljzkj8spesceyfz2c32udakc2ak0dmvfeyse9p35c as this account is only used for announcements and is not watched.

Related security alerts:

https://nvd.nist.gov/vuln/detail/CVE-2023-4863

More info

https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-imageio-webp-zero-days

https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/

Avatar
Mike Dilger ☑️ 2y ago

UPDATE: Images are ok. Images are rendered via a rust library that does not have this vulnerability. It is videos that could be suspect.

If your build of gossip does not include the 'video-ffmpeg' feature, then it doesn't use the libwebp library. You can check by running 'ldd' on the binary. Here is ldd run against a gossip binary that has not enabled that feature:

myr gossip] ldd target/debug/gossip

linux-vdso.so.1 (0x00007ffefcd15000)

libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007f7e98ddb000)

libm.so.6 => /usr/lib/libm.so.6 (0x00007f7e98cee000)

libc.so.6 => /usr/lib/libc.so.6 (0x00007f7e93200000)

/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007f7e98e39000)

If instead you see something like this:

libwebp.so.7 => /usr/lib/libwebp.so.7 (0x00007efefa52c000)

then your client may be vulnerable.

I could use help understanding this vulnerability.

Reply to this note

Please Login to reply.

Discussion

No replies yet.