Avatar
Gossip Client 2y ago

GOSSIP USERS: SECURITY ALERT

There is an UNPATCHED vulnerability in libwebp that allows a malicious image to infect your computer. This affects gossip, as well as countless other programs.

Normally we wouldn't announce an active vulnerability until it is patched and there is a solution, but this news is already widespread.

Please go to your settings and uncheck "Render all media inline automatically". Only click to view media from people you trust.

We are working towards a better understanding of this, and a fix.

Please coorespond with nostr:npub1acg6thl5psv62405rljzkj8spesceyfz2c32udakc2ak0dmvfeyse9p35c as this account is only used for announcements and is not watched.

Related security alerts:

https://nvd.nist.gov/vuln/detail/CVE-2023-4863

More info

https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-imageio-webp-zero-days

https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/

Reply to this note

Please Login to reply.

Discussion

Avatar
Mike Dilger ☑️ 2y ago

UPDATE: Images are ok. Images are rendered via a rust library that does not have this vulnerability. It is videos that could be suspect.

If your build of gossip does not include the 'video-ffmpeg' feature, then it doesn't use the libwebp library. You can check by running 'ldd' on the binary. Here is ldd run against a gossip binary that has not enabled that feature:

myr gossip] ldd target/debug/gossip

linux-vdso.so.1 (0x00007ffefcd15000)

libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007f7e98ddb000)

libm.so.6 => /usr/lib/libm.so.6 (0x00007f7e98cee000)

libc.so.6 => /usr/lib/libc.so.6 (0x00007f7e93200000)

/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007f7e98e39000)

If instead you see something like this:

libwebp.so.7 => /usr/lib/libwebp.so.7 (0x00007efefa52c000)

then your client may be vulnerable.

I could use help understanding this vulnerability.

Avatar
Mike Dilger ☑️ 2y ago

Final Update (I think):

Some of the articles/writings on this are wrong and implicate libwebp 1.3.2. But having looked at the code, libwebp was fixed before 1.3.2 was released. If you have version 1.3.2 of libwebp, you should be fine. Update your operating system if you have an older version of libwebp.

Again, this doesn't affect you if you didn't compile with the 'video-ffmpeg' feature.

Again, this doesn't affect images, only videos, and maybe not even videos we can't be sure.

There will not be an updated release of gossip since this is a dynamically linked library managed by your operating system.

Avatar
n 2y ago

GOSSIPユーザーセキュリティ警告

libwebpに、悪意のあるイメージをコンピュータに感染させる、パッチが適用されていない脆弱性が存在します。通常、私たちはパッチが適用され、解決策が出るまで、アクティブな脆弱性を発表しませんが、このニュースはすでに広まっています。

設定から「すべてのメディアをインラインで自動的にレンダリングする」のチェックを外してください。信頼できる人からのメディアのみをクリックして閲覧してください。

私たちはこの問題をよりよく理解し、解決に向けて取り組んでいます。

このアカウントはアナウンスのみに使用され、監視されていませんので、@Michael Dilgerと連絡を取ってください。

関連するセキュリティアラート

nostr:nevent1qqsydh0dpturk7lxsrrkj8ptwnlmndczla9k9r97f7sqr2tdshuallspzfmhxue69uhk7enxvd5xz6tw9ec82cs0yf38d