[not2b]

Ubuntu and Fedora have put out security updates for libwebp, so any program that uses the shared library to access WEBP images is safe, once security updates are applied. Not sure about other Linux distros, but I expect that almost everyone has dealt with this. Unfortunately, snap and flatpak applications are a problem; it's hard to tell which ones might have a bundled, vulnerable WEBP decoder linked in.

[ComputerGuru]

Not really “any” program but those that don’t ship their own version and didn’t statically link against libwebp (if that’s an option?). Notably, browsers often don’t use the system version of the library. That’s not the end of the world since browser vendors are on top of the security game for the most part - but the million Electron apps you might be running also each need to be updated individually!

Basically, don’t rest easy and get complacent. Updating the OS distros is not enough.

[eigenlicht]

I've just had a look into my flatpak installation, where my default "Platform" (runtime) is still vulnerable. That didn't even seem too much of a worry though since as I found out all of the flatpak apps I use that have a dependency ship their own libwebp. And sure enough, except for Firefox which is patched, none of them is.

$ flatpak update --no-related --force remove

Checking for updates...

Nothing to do.

My base system (Debian) got the patch almost two weeks ago. Might as well trash flatpak for good.

[sirsinsalot]

They did say any that use the shared library, not just any.