[pornel]

1. Everything that supports WebP is affected. Not just Chrome and Electron, but all browsers, desktop and mobile, and non-browser software too. All kinds of image viewers, graphics programs, email clients, even your file manager that shows thumbnails.

The bug is in the codec library, and WebP has implementation monoculture, so everyone uses the same library, and everyone needs to patch.

3. Google tried to make WebP a thing 10 years ago, but it didn't get much traction, since it was Chrome-only for a long time. It never got properly standardized (it is open source tho). It compresses low-quality images better than JPEG, but tends to blur and smear colors in higher-quality images.

Ironically WebP became widely supported at the same time when it became technically obsoleted by AVIF and JPEG XL.

[moffkalast]

> even your file manager that shows thumbnails

Aha! Finally the day has come when KDE's Dolphin emerges as the most secure file manager, in a "this sign can't stop me because I can't read" fashion.

[Macha]

Desktop Linux is on the relatively safer side, just because so much of the open source ecosystem still uses dynamic linking so it just needs your distro to package a new version of libwebp.

All the proprietary software with their own bundled versions of electron or vendored libraries, etc. on the other hand...

[josefx]

> so it just needs your distro to package a new version of libwebp.

That and every snap/flatpack/etc. package, every container image you are using and possibly pip packages that can come with and compile all kinds of dependencies and haven't been maintained for ten years...

The security benefit a well maintained Linux distro provides has been eroding for years now.

[graemep]

However, you can choose to largely avoid these. Yes, people are pushing the other way, but you can not use snap and flatpack of you use a distro with large repos. You can use Python virtualenvs with --system-site packages and put just pure python packages in your requirements.txt. You can run things in containers for security without using images.

I think there are two problems:

1. people running single/small numbers of servers copying practices that are used by people running fleets of containers who can have someone promptly updating everything has needed. 2. As always, convenience. The easiest and best supported way to pip install things is without --system-site-packages.

I have always felt we were going the wrong way with this. I thought I was the only one!

[sundarurfriend]

What do you mean? Dolphin displays thumbnails perfectly fine, and I love how easy it is to change the thumbnail size (ctrl-mousewheel or the slider at the bottom).

[moffkalast]

Might be just the type of files I'm working with, but it feels like half the time it renders the thumbnail as broken static or even not at all.

[sundarurfriend]

I don't think I've ever seen that in the past several years of using Dolphin. The context here being webp, I checked the many webp files I have, and Dolphin thumbnails all of them without any issue.

[teruakohatu]

> but all browsers, and non-browser software too

It is a libwebp vuln right? So anyone that does not link to libwebp is or may be ok.

[jandrese]

Yeah, but once you fix the library the system should be safe. Well, except for all of the snaps and docker containers and whatnot. Those will need to be updated as well.

[tedunangst]

Pretty long tail of apps that shell out to imagemagick to convert stuff, too.

[not2b]

A security update for libwebp has been shipped by the major Linux distros.

[est31]

> Ironically WebP became widely supported at the same time when it became technically obsoleted by AVIF and JPEG XL.

Firefox very quickly implemented WebP when YouTube (a Google property) added support for animated WebP based hover thumbnails.

[pornel]

Mozilla created MozJPEG to show that WebP is unnecessary if you compress JPEGs well.

Firefox and Safari only caved years later once Chrome-only WebP-only websites were too common to ignore.

[archerx]

I ignore them without problem, I do most of my web reading on my iPad that does not support webp and most sites display images without issues. Usually the ones that only offer images in webp are low quality sites and it’s usually a good sign I should just bounce.

[doublepg23]

WebP has been supported by Safari for a while now. Even WebM is supported which uses VP8/9 https://caniuse.com/webp https://caniuse.com/webm

[archerx]

Not on my ipad it's not and I don't plan on updating the OS at the risk of making it slower just for webp support.

[tedunangst]

There is an implementation for go, although it doesn't support every feature of the format.

[Hello71]

ffmpeg also has an independent implementation based on its own vp8 decoder