[GHSA-j7hp-h8jx-5ppr] libwebp: OOB write in BuildHuffmanTable

[Nachtalb]

Updates

• Affected products

Comments
Provide more commonly used affected dependencies

[shelbyc]

👋 Hi @Nachtalb, do you have reference links showing that Pillow and webp are affected by GHSA-j7hp-h8jx-5ppr? I found this commit showing that webp upgraded a dependency on libwebp-sys, but I'm not able to find a similar commit for Pillow. Additionally, Pillow appears to have no version called 4.8.1 on PyPI or GitHub.

[Nachtalb]

Hi, yeah, I have copied the wrong value from my list for some reason. The correct Pillow version is 10.0.1

Pillow:

• Updated libwebp to 1.3.2 python-pillow/Pillow#7395
• https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html#security

Webp (rust):

• chore: Bump libwebp-sys and crate version jaredforth/webp#30

Can I somehow edit this file directly or create a new entry? (Or should I use the usual fork -> PR)

[advisory-database]

Hi @Nachtalb! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[shelbyc]

@Nachtalb I was able to incorporate the suggested additions and reference links just fine. Thanks for contributing!