{"id":19449082,"url":"https://github.com/murphysecurity/libwebp-checker","last_synced_at":"2025-04-25T02:32:16.416Z","repository":{"id":198696434,"uuid":"700661789","full_name":"murphysecurity/libwebp-checker","owner":"murphysecurity","description":"A tool for finding vulnerable libwebp(CVE-2023-4863)","archived":false,"fork":false,"pushed_at":"2023-10-07T02:52:10.000Z","size":1064,"stargazers_count":13,"open_issues_count":0,"forks_count":9,"subscribers_count":5,"default_branch":"main","last_synced_at":"2023-10-07T13:45:16.047Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/murphysecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-10-05T03:28:23.000Z","updated_at":"2023-10-07T07:44:49.000Z","dependencies_parsed_at":null,"dependency_job_id":"3442e2f2-a174-4edb-9f84-ba3d35f39140","html_url":"https://github.com/murphysecurity/libwebp-checker","commit_stats":null,"previous_names":["murphysecurity/libwebp-checker"],"tags_count":0,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/murphysecurity%2Flibwebp-checker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/murphysecurity%2Flibwebp-checker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/murphysecurity%2Flibwebp-checker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/murphysecurity%2Flibwebp-checker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/murphysecurity","download_url":"https://codeload.github.com/murphysecurity/libwebp-checker/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223979211,"owners_count":17235338,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-10T16:29:57.214Z","updated_at":"2024-11-10T16:29:58.136Z","avatar_url":"https://github.com/murphysecurity.png","language":"Shell","readme":"[中文](README_ZH.md) | EN\n\n# CVE-2023-4863 libwebp dependency check tools\nThis tool checks if your server's application or process that is affected by CVE-2023-4863 libwebp Heap buffer overflow (Version above 0.5.0).\n\n\u003e Run this script in your production environment carefully.\n\n### Result Screen Shot \n\nScan Result\n\n  \u003cimg alt=\"scan result\" src=\"./assets/scan-process-result.png\" width=\"80%\"\u003e\n\n\n  \u003cimg alt=\"scan result\" src=\"./assets/scan-path-result.png\" width=\"80%\"\u003e\n  \n  ## Table of Contents\n1. [How it works](#how-it-works)\n2. [Working Scenarios](#working-scenarios)\n3. [Getting Started](#getting-started)\n4. [Communication](#communication)\n5. [License](#license)\n\n## How it works\n1. CVE-2023-4863 vulnerability affects libwebp versions 0.5.0 to 1.3.1. It identifies the affected libwebp by analyzing the processes' opened files and the target application files.\n2. Starting from libwebp version 0.5.0, new export functions, `WebPCopyPlane` and `WebPCopyPixels`, were introduced. The vulnerable function is `VP8LBuildHuffmanTable`. Therefore, one can identify libwebp versions with vulnerabilities by matching these function names in the files.\n3. In the security version 1.3.2, the `VP8LHuffmanTablesAllocate` function was added. If the target file has not been stripped, this function can also serve as a basis for version identification.\n\n## Working Scenarios\n\nIn local or server environments, it aims to inspect specific paths, all running processes' binary files, jar packages, and rpm packages to determine if there is a dependency on the vulnerable component of libwebp.\n\n## Getting Started\n### 1. Get The Acess Token\n\n\u003e We analyze components from the Maven Central Repository to obtain hashes for the affected components, and we keep this data continuously updated. You can use this data for matching after authenticating with an access token from the MurphySec.com, which helps save analysis time.\n\nGo to [MurphySec platform - Access Token](https://www.murphysec.com/console/set/token), click the copy button after the Token, then the access token is copied to the clipboard.\n\n\n\u003cimg alt=\"scan result\" src=\"./assets/access-token.png\" width=\"80%\"\u003e\n\n\n### 2. Detection\n\n#### Scan Specific Directory Path\n\n```\nbash libwebp-checker.sh --token Your_Token_From_Console -f /path_you_want_scan/\n```\n\n#### Scan All Process \n\n```\nbash libwebp-checker.sh --token Your_Token_From_Console -p\n```\n\n\n### 3. View Result\n\nIt will print the affected filenames, process IDs and matched string keywords, such as WebPCopyPlane,WebPCopyPlane. To help further analysis and update the component.\n\n## Known Vulnerable Java Artifacts\n```\nai.edgestore:engine\napp.cash.paparazzi:layoutlib-native-linux\napp.cash.paparazzi:native-linux\ncn.ellabook:flutter-saassdk\ncn.ellabook:saassdk\ncn.fly2think:SmartPanorama\ncn.fly2think:SmartPanoramaX\ncn.rongcloud.sdk:fu_beautifier\ncom.aiyaapp.aiya:AyEffectSDK\ncom.computinglaboratory:opencv\ncom.criteo:jvips\ncom.eworkcloud.starter:ework-cloud-starter-image\ncom.eworkcloud:ework-cloud-starter-image\ncom.facebook.fresco:webpsupport\ncom.facebook.spectrum:spectrum-webp\ncom.freeletics.fork.paparazzi:layoutlib-native-linux\ncom.github.gotson:webp-imageio\ncom.github.jenly1314.WeChatQRCode:opencv-armv64\ncom.github.jenly1314.WeChatQRCode:opencv-armv7a\ncom.github.jenly1314.WeChatQRCode:opencv-x86\ncom.github.jenly1314.WeChatQRCode:opencv-x86_64\ncom.github.usefulness:webp-imageio\ncom.github.zjupure:webpdecoder\ncom.innov8tif.okaycam:opencv\ncom.innov8tif.okayid:opencv\ncom.scanzy:ScanzyBarcodeScannerSDK\ncom.waicool20.skrypton:skrypton-native-linux64\nde.marcreichelt:webp-backport\nde.sg-o.lib:opencv\nid.mob:api-client\nio.bitbucket.mobscannersdk:customdocscannerlib\nio.bitbucket.mobscannersdk:docscannerlib\nio.github.anylifezlb:slientEngine\nio.github.darkxanter:webp-imageio\nio.github.greycode:ocrlite\nio.github.humbleui:skija-linux\nio.github.humbleui:skija-linux-x64\nio.github.izuiyou:octoflutter\nio.github.jiemakel:octavo-assembly_2.12\nio.github.zumikua:webploader-desktop\nio.johnsonlee.layoutlib:native-linux\nio.tiledb:tiledb-cloud-java\nnet.ifok.image:webp4j\norg.demen.android.opencv:opencv\norg.demen.android.opencv:opencv-img\norg.demen.android.opencv:opencv_world\norg.godotengine:godot\norg.jetbrains.skiko:skiko-awt-runtime-linux-arm64\norg.jetbrains.skiko:skiko-awt-runtime-linux-x64\norg.jetbrains.skiko:skiko-jvm-runtime-linux-arm64\norg.jetbrains.skiko:skiko-jvm-runtime-linux-x64\norg.lucee:sejda-webp\norg.openpnp:opencv\norg.pireco:kypsdk\norg.robolectric:nativeruntime-dist-compat\norg.sejda.imageio:webp-imageio\norg.sejda.webp-imageio:webp-imageio-sejda\nscience.aist:aistcv\n```\n\n## Communication\nContact our official WeChat account, and we'll add you into the group for communication.\n\n\u003cimg src=\"./assets/wechat.png\" width=\"200px\"\u003e\n\n## License\n[Apache 2.0](LICENSE)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmurphysecurity%2Flibwebp-checker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmurphysecurity%2Flibwebp-checker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmurphysecurity%2Flibwebp-checker/lists"}