mlkit icon indicating copy to clipboard operation
mlkit copied to clipboard
verified publisher icon googlesamples

[Question] Security Vulnerability found in libwebp library

Open jackyk-cognitoiq opened this issue 2 years ago • 5 comments

Discussed in https://github.com/googlesamples/mlkit/discussions/738

Originally posted by jackyk-cognitoiq September 28, 2023 I noticed there has been a security vulnerability found in the libwebp library (https://nvd.nist.gov/vuln/detail/CVE-2023-4863#range-9599713). Can someone confirm whether the Google ML Kit library uses it or not?

I can see it listed in the licenses as using v0.2. Is that the version the library is using?

I believe there is already a patch for the libwebp library to address this (v1.3.2), if the Google ML Kit library do use libwebp, is there any plans for it to be updated?

jackyk-cognitoiq avatar Sep 28 '23 12:09 jackyk-cognitoiq

Thanks for the report! Can you also share which ML Kit SDK's licenses mention this library?

zhouyiself avatar Sep 29 '23 22:09 zhouyiself

It is listed in the licenses for the following in the ML Kit SDK :

  • GoogleMLKit/MLKitCore
  • MLKitBarcodeScanning
  • MLKitCommon
  • MLKitVision

jackyk-cognitoiq avatar Oct 02 '23 08:10 jackyk-cognitoiq

Which platform you're referring to? Android or iOS?

zhouyiself avatar Oct 19 '23 23:10 zhouyiself

I'm referring to iOS.

jackyk-cognitoiq avatar Nov 02 '23 09:11 jackyk-cognitoiq

ML Kit is scheduled for a public release at the end of February 2024, carrying libwebp version 1.3.2. Please stay tuned for updates.

miworking3 avatar Jan 08 '24 17:01 miworking3