[MapServer-dev] WEBP vulnerability

[Even Rouault]

Hi Seth,

> There has been quite a bit of talk about the WEBP vulnerability, and I noticed Tamas has updated the GISInternals buildkit [1] and Even patched the GDAL builds [2].
>
> As I understand it the vulnerability exploits user supplied images. Am I correct in thinking that this will only be an issue for MapServer if Mapfiles are setup to read images that could be created externally and then read by MapServer in a RATER layer? Or could a layer using a WMS connection (cascaded WMS) be affected? I guess in that case the external service would have to have been compromised.

Yes reading through a cascaded WMS could be affected if all following 
conditions are met:

- the WMS server returns a hostile WEBP image (or possibly a TIFF or 
GeoPackage using the WebP codec), which implies that server has been 
compromised or is hostile (if the server just uses a unpatched libwebp 
to return WebP images, that should be safe). Note that having wms_format 
or wms_formatlist listing only PNG or JPEG formats isn't a protection if 
the server is hostile/compromised.

- GDAL and/or libtiff (on the machine running MapServer) have been built 
with libwebp support

- the libwebp version used by GDAL/libtiff hasn't been patched for the 
vulnerability

| Serving WEBP as an OUTPUTFORMAT I don't think should be affected?

That should be safe. The issue is on reading hostile WebP images.

Even


-- 
http://www.spatialys.com
My software is free, but my time generally not.