The WebP vulnerability: a tale of a CVE with much bigger impl

pcdoodle · 2023-10-06T13:37:20

Why do we even need WebP? Who decided it was a good idea?

It wont even render a preview thumbnail on older systems and wants to open in a browser by default (yuck! this is a picture)

png, jpg and the others are good enough.

mountainash · 2023-10-06T06:00:22

How strong is the “we take security seriously”. “always watching“, “fast to respond”, “working with the industry” vibes in this post!

When only the day before their DNS (a core product) goes out for hours as they weren’t monitoring a well alerted change to upstream DNS records that took place weeks before, (which might have allowed a crafty spoofing incident).

Makes it hard to put too much faith in the hype of some of these puff pieces.

skilled · 2023-10-06T16:41:37

Why did Cloudflare write this in a tone that implies they had anything to do with the initial mix-up between Chrome assigning this as Chrome-only?

Can’t find anything from them where that was the case.

scrungiforous · 2023-10-07T17:18:33

devwastaken · 2023-10-05T16:49:35

Webp is one in a series of exploits that will come to pass in all codecs. Media codecs are made without regard to safety and overwhelmingly rely on handmade assembly or hardware implementations.

As usual most of this issue is resolved by using languages that can be memory safe.

Dwedit · 2023-10-05T18:06:41

This problem wasn't even in the bulk pixel handling code that would be written in assembly or using vector instructions.