Boost For Lemmy

6985 readers

4 users here now

Community of the Android app Boost for Lemmy

founded 1 year ago

MODERATORS

rmayayo

Is Boost for Lemmy vulnerable to the webp exploit? (self.boostforlemmy)

submitted 11 months ago by DungFu to c/boostforlemmy

17 comments fedilink hide all child comments

What version of libwebp does Boost use and if it is currently vulnerable, when can we expect an update to fix this issue? The affected versions of libwebp are 0.5.0 to 1.3.1.

you are viewing a single comment's thread
view the rest of the comments

[–] seaQueue 11 points 11 months ago* (last edited 11 months ago) (2 children)

Depending on where the library lives in the Android ecosystem the update could be pushed by the play store framework as part of it's self-update capability or it could be pushed by the OEM with the next system OTA. If it's part of a system update you're at the mercy of the OEM's OTA schedule, Samsung hasn't pushed anything for my tablet in like 8mo, same for my OnePlus phone before the update this week.

Based on this discussion here (https://news.ycombinator.com/item?id=37658635) it sounds like we're all waiting for an OEM OTA, for some reason the video codecs are rolled into the play framework's updates but not the image decoding libraries.

People running LineageOS and other AOSP based firmwares should be covered after their ROMs integrate the next month security patch.

[–] [email protected] 2 points 11 months ago* (last edited 11 months ago)

People running LineageOS and other AOSP based firmwares should be covered after their ROMs integrate the next month security patch.

We've already had it in LineageOS for a week :) https://review.lineageos.org/c/LineageOS/android_external_webp/+/366608/

Proving once again that a handful of contributors in their free time still manages to beat multibillion dollars companies.

[–] [email protected] 2 points 11 months ago (1 children)

So there is no central framework for pushing fixes to urgent fixes? Patching zero-days?

[–] seaQueue 4 points 11 months ago (2 children)

Welcome to the wonderful world of Android. They're rolled into the monthly AOSP security patch and end users are at the mercy of the OEM's update schedule.

This is why Pixel phone regular updates are a big deal, and a reason to run a regularly updated third party ROM like LineageOS.

[–] Flyswat 3 points 11 months ago

This is why Pixel phone regular updates are a big deal, and a reason to run a regularly updated third party ROM like LineageOS.

This is the very reason why I use LineageOS (as well as getting rid of bloatware).

[–] [email protected] 1 points 11 months ago (1 children)

As a person that’s been rolled into smartphones via work (iPhone 3Gs) and then never daily driven an Android, but always thought it might be more to my liking, I’m aghast. How can this be accepted? I now understand why large botnets often is comprised of Android devices.

[–] seaQueue 1 points 11 months ago* (last edited 11 months ago)

Zero days aren't the big driver of botnets, there are millions (if not hundreds of millions) of very cheap, very old, android devices out there. If you look at the periodic stats Google releases >50% of devices are running an Android version <= 10. Something like 20% of Android devices (at least according to the stats Google provides) running Android <= 5.

Per earlier this year: https://m.gsmarena.com/android_13_is_now_running_on_12_of_devices_in_the_wild-news-58244.php

I'm assuming these stats don't even cover a huge number of cheap Indian or Chinese devices too, those don't come with Google services at all.