What version of libwebp does Boost use and if it is currently vulnerable, when can we expect an update to fix this issue? The affected versions of libwebp are 0.5.0 to 1.3.1.

  • Max-P@lemmy.max-p.me
    link
    fedilink
    English
    arrow-up
    32
    ·
    1 year ago

    That’s provided through Android itself. Just update your phone and you’ll be good.

    • DungFu@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      5
      ·
      1 year ago

      Ah ok, I’ll just stop using Boost until the October pixel update rolls out then

      • setVeryLoud(true);@lemmy.ca
        link
        fedilink
        English
        arrow-up
        33
        ·
        1 year ago

        You should stop using your phone entirely if you’re that worried.

        The vast majority of apps use the Android Web View component. No point in rolling their own, really.

        • DungFu@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Not really, just temporarily not using apps where random people can post images that are not re-encoded. Turns out this is very few apps, but sadly every lemmy app falls under this category.

      • Prizephitah
        link
        fedilink
        English
        arrow-up
        16
        arrow-down
        1
        ·
        1 year ago

        Surely Android provides security updates?

        • seaQueue@lemmy.world
          link
          fedilink
          English
          arrow-up
          11
          ·
          edit-2
          1 year ago

          Depending on where the library lives in the Android ecosystem the update could be pushed by the play store framework as part of it’s self-update capability or it could be pushed by the OEM with the next system OTA. If it’s part of a system update you’re at the mercy of the OEM’s OTA schedule, Samsung hasn’t pushed anything for my tablet in like 8mo, same for my OnePlus phone before the update this week.

          Based on this discussion here (https://news.ycombinator.com/item?id=37658635) it sounds like we’re all waiting for an OEM OTA, for some reason the video codecs are rolled into the play framework’s updates but not the image decoding libraries.

          People running LineageOS and other AOSP based firmwares should be covered after their ROMs integrate the next month security patch.

          • Prizephitah
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            So there is no central framework for pushing fixes to urgent fixes? Patching zero-days?

            • seaQueue@lemmy.world
              link
              fedilink
              English
              arrow-up
              4
              ·
              1 year ago

              Welcome to the wonderful world of Android. They’re rolled into the monthly AOSP security patch and end users are at the mercy of the OEM’s update schedule.

              This is why Pixel phone regular updates are a big deal, and a reason to run a regularly updated third party ROM like LineageOS.

              • Flyswat@lemmy.world
                link
                fedilink
                English
                arrow-up
                3
                ·
                1 year ago

                This is why Pixel phone regular updates are a big deal, and a reason to run a regularly updated third party ROM like LineageOS.

                This is the very reason why I use LineageOS (as well as getting rid of bloatware).

              • Prizephitah
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                As a person that’s been rolled into smartphones via work (iPhone 3Gs) and then never daily driven an Android, but always thought it might be more to my liking, I’m aghast. How can this be accepted? I now understand why large botnets often is comprised of Android devices.

                • seaQueue@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  1 year ago

                  Zero days aren’t the big driver of botnets, there are millions (if not hundreds of millions) of very cheap, very old, android devices out there. If you look at the periodic stats Google releases >50% of devices are running an Android version <= 10. Something like 20% of Android devices (at least according to the stats Google provides) running Android <= 5.

                  Per earlier this year: https://m.gsmarena.com/android_13_is_now_running_on_12_of_devices_in_the_wild-news-58244.php

                  I’m assuming these stats don’t even cover a huge number of cheap Indian or Chinese devices too, those don’t come with Google services at all.

          • Maho@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            So are we expected to just avoid using any software that loads pictures for a month…or forever in the case of models with no more support?

            • Sethayy@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Nah youre supposed to buy a phone and create data like a good consumer.

              The rest they really couldn’t care less about

        • atrielienz@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          That’s dependent on carriers in a fair few cases or phone manufacturers in others. A lot of budget phones don’t get timely security patches.

        • Hurglet@lemmy.basedcount.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Unless you’re always updooting to the newest device, older ones will get shut off updates after ~4 years aftet being released. It fucking sucks