EDIT: so I did it. I replied without reading the whole thing. This is not about the webp vulnerability… Oh well! Leaving my comment below anyway
A buffer overflow in parsing WebP images may result in the execution of arbitrary code.
For the oldstable distribution (bullseye), this problem has been fixed in version 0.6.1-2.1+deb11u2.
(PureOS Byzantium is Bullseye)
$ dpkg -l libwebp6
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-=================-============-=================================================
ii libwebp6:arm64 0.6.1-2.1+deb11u2 arm64 Lossy compression of digital photographic images.
At least on my device, libwebp6 is up to date.
Then:
$ apt-cache rdepends libwebp6 | grep chromium
chromium-shell
chromium
chromium-shell
chromium
$ apt-cache rdepends libwebp6 | grep firefox
$
ok so if you use the packaged Chromium (not Flatpak) you should be covered already, since it’s using the system-provided libwebp. Other notable appearances in that list (if removing grep) would be: gimp, telegram-purple, libwebkit2gtk (used by Gnome Browser aka Epiphany, again not from the Flatpak), libqtwebkit5 (used by other apps that are QT/KDE based), so a lot is covered already.
Firefox is not in that list however. Does Firefox ESR even support webp?
Ah! I found it, it was a dependency of a dependency:
$ apt-cache depends firefox-esr | grep libavcodec
|Recommends: <libavcodec59>
|Recommends: <libavcodec-extra59>
|Recommends: libavcodec58
libavcodec-extra58
|Recommends: libavcodec-extra58
|Recommends: <libavcodec57>
|Recommends: <libavcodec-extra57>
|Recommends: <libavcodec56>
|Recommends: <libavcodec-extra56>
|Recommends: <libavcodec55>
|Recommends: <libavcodec-extra55>
|Recommends: <libavcodec54>
|Recommends: <libavcodec-extra54>
|Recommends: <libavcodec53>
Recommends: <libavcodec-extra53>
$ apt-cache rdepends libwebp6 | grep libavcodec
libavcodec-extra58
libavcodec58
libavcodec-extra58
libavcodec58
$ dpkg -l libavcodec58
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==================-=================-============-======================================================================
ii libavcodec58:arm64 7:4.3.6-0+deb11u1 arm64 FFmpeg library with de/encoders for audio/video codecs - runtime files
There we go. So, if I understand this correctly, we should be covered already.
Now for Flatpak software, that depends on each packagae (or each runtime)…