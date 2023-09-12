Tuesday, September 12, 2023
WebP chemspill patch on Github
A fix is in the TenFourFox tree for MFSA 2023-40, a/k/a CVE-2023-4863, which is a heap overflow in the WebP image decoder. Firefox 45 would not ordinarily be vulnerable to this but we have our own basic WebP decoder using Google's library, so we are technically exploitable as well. I was working on a fix of my own but the PM27 fix that roytam1 cherrypicked is cleaner, so I've added that patch and one more for correctness. Although this issue is currently being exploited in the wild, it would require a PowerPC-specific attack to be successful on a Power Mac. You do not need to clobber to update your build.
