What version of libwebp does Boost use and if it is currently vulnerable, when can we expect an update to fix this issue? The affected versions of libwebp are 0.5.0 to 1.3.1.
Depending on where the library lives in the Android ecosystem the update could be pushed by the play store framework as part of it’s self-update capability or it could be pushed by the OEM with the next system OTA. If it’s part of a system update you’re at the mercy of the OEM’s OTA schedule, Samsung hasn’t pushed anything for my tablet in like 8mo, same for my OnePlus phone before the update this week.
Based on this discussion here (https://news.ycombinator.com/item?id=37658635) it sounds like we’re all waiting for an OEM OTA, for some reason the video codecs are rolled into the play framework’s updates but not the image decoding libraries.
People running LineageOS and other AOSP based firmwares should be covered after their ROMs integrate the next month security patch.
So there is no central framework for pushing fixes to urgent fixes? Patching zero-days?
Welcome to the wonderful world of Android. They’re rolled into the monthly AOSP security patch and end users are at the mercy of the OEM’s update schedule.
This is why Pixel phone regular updates are a big deal, and a reason to run a regularly updated third party ROM like LineageOS.
People running LineageOS and other AOSP based firmwares should be covered after their ROMs integrate the next month security patch.
We’ve already had it in LineageOS for a week :) https://review.lineageos.org/c/LineageOS/android_external_webp/+/366608/
Proving once again that a handful of contributors in their free time still manages to beat multibillion dollars companies.
So are we expected to just avoid using any software that loads pictures for a month…or forever in the case of models with no more support?
That’s dependent on carriers in a fair few cases or phone manufacturers in others. A lot of budget phones don’t get timely security patches.
I’m sure it can. The question is, will it. Part of the reason Google started updating apps on their side and removing feature updates from Android was because carriers and service providers weren’t quick to update anything including security updates. It’s one of the big selling points of the pixel line of phones. RCS is a very good example. The main cell providers did not want to take on RCS messaging and went as far as trying to make their own fork. They’ve done this with wallet apps back in the day as well.
https://9to5google.com/2019/10/25/us-carriers-rcs-android-initiative/
https://www.engadget.com/amp/2019-10-18-google-verizon-t-mobile-pixel-4-rcs-messaging.html
