Skip to content

[GHSA-j7hp-h8jx-5ppr] libwebp: OOB write in BuildHuffmanTable #2789

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 3, 2023
Merged

[GHSA-j7hp-h8jx-5ppr] libwebp: OOB write in BuildHuffmanTable #2789

merged 1 commit into from
Oct 3, 2023

Conversation

@Nachtalb
Copy link

@Nachtalb Nachtalb commented Sep 29, 2023

Updates

  • Affected products

Comments
Provide more commonly used affected dependencies

@github-actions github-actions bot changed the base branch from main to Nachtalb/advisory-improvement-2789 September 29, 2023 08:09
@shelbyc
Copy link
Contributor

shelbyc commented Oct 2, 2023

👋 Hi @Nachtalb, do you have reference links showing that Pillow and webp are affected by GHSA-j7hp-h8jx-5ppr? I found this commit showing that webp upgraded a dependency on libwebp-sys, but I'm not able to find a similar commit for Pillow. Additionally, Pillow appears to have no version called 4.8.1 on PyPI or GitHub.

@Nachtalb
Copy link
Author

Nachtalb commented Oct 3, 2023
edited
Loading

Hi, yeah, I have copied the wrong value from my list for some reason. The correct Pillow version is 10.0.1

Pillow:

Webp (rust):

Can I somehow edit this file directly or create a new entry? (Or should I use the usual fork -> PR)

@advisory-database advisory-database bot merged commit 737de8c into Nachtalb/advisory-improvement-2789 Oct 3, 2023
@advisory-database
Copy link
Contributor

advisory-database bot commented Oct 3, 2023

Hi @Nachtalb! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the Nachtalb-GHSA-j7hp-h8jx-5ppr branch October 3, 2023 20:27
@shelbyc
Copy link
Contributor

shelbyc commented Oct 3, 2023

@Nachtalb I was able to incorporate the suggested additions and reference links just fine. Thanks for contributing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Nachtalb @shelbyc