Update libwebp to migrate CVE-2023-4863

[nkh0472]

CVE-2023-4863: severity HIGH

Published Date - Jan 14, 2025
Severity - High
CVSSv3 Score - 7.1
Impact - Execute unauthorized code or commands

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.

https://nvd.nist.gov/vuln/detail/CVE-2023-4863

[nkh0472]

I have attempted to compile the libwebp DLL using the following setup:

• Latest UCRT64 from MSYS2
• libwebp 1.6.0 source code

Here are the steps I followed:

cd ./libwebp-1.6.0
autoreconf -fi
#./configure --help

./configure \
  --prefix=/tmp/libwebp-stage \
  --enable-shared \
  --disable-static \
  --disable-gl \
  --disable-sdl \
  --disable-png \
  --disable-jpeg \
  --disable-tiff \
  --disable-gif \
  --disable-wic \
  --disable-libwebpmux \
  --disable-libwebpdemux \
  --disable-libwebpdecoder \
  --disable-libwebpextras \
  --disable-dependency-tracking \
  CFLAGS="-O2 -march=x86-64-v3 -pipe"

make -j15

After running these commands, libwebp-7.dll generated in \home\xx\libwebp-1.6.0\src\.libs\.

It appears that additional source code modifications might be necessary to use this libwebp-7.dll instead of the original libwebp_x64.dll. I am unsure about the specific changes required.

Upstream dependence WebP-wrapper need to be upgrade.