[MapServer-dev] WEBP vulnerability

Seth G sethg at geographika.co.uk
Wed Oct 4 09:22:24 PDT 2023

Hi devs,

There has been quite a bit of talk about the WEBP vulnerability, and I noticed Tamas has updated the GISInternals buildkit [1] and Even patched the GDAL builds [2]. 

As I understand it the vulnerability exploits user supplied images. Am I correct in thinking that this will only be an issue for MapServer if Mapfiles are setup to read images that could be created externally and then read by MapServer in a RATER layer? Or could a layer using a WMS connection (cascaded WMS) be affected? I guess in that case the external service would have to have been compromised. 

Serving WEBP as an OUTPUTFORMAT I don't think should be affected?


[1] https://github.com/gisinternals/buildsystem/issues/216
[2] https://github.com/OSGeo/gdal/issues/8501

web:https://geographika.net & https://mapserverstudio.net
twitter: @geographika

More information about the MapServer-dev mailing list