LibWebP vulnerability affecting react native apps

[ibr4qr]

Introduction

Fresco update to the latest version( 3.1.2 ) due the CVE-2023-4863 vulnerability

Details

LibWebP has a reported critical zero-click vulnerability, the vulnerability in LibWebP was discovered on September 7, 2023 by researchers at the University of Toronto's Citizen Lab.

Discussion points

Since @facebook/react-native brings Fresco dependency which is affected by the LibWebP vulnerability, do we have a plan to migrate to the latest Fresco version?

[cortinico]

We're aware of the issue.

Sadly the latest version of Fresco is broken:

• 3.1.1 Exception loading animated gif facebook/fresco#2747

We're waiting for 3.1.3 to do this bump

[cortinico]

Fix is included in Fresco 3.1.3:
https://github.com/facebook/fresco/releases/tag/v3.1.3

It has already been bumped inside React Native and will be released in 0.73.0

[NickGerleman]

It has already been bumped inside React Native and will be released in 0.73.0

It probably wouldn’t be a bad idea to backport this to older releases as well. Dealing with untrusted WebP is not uncommon. E.g. a bad case could be a user sending a malicious image in a chat app that causes code execution on the other end.

From what I was looking at earlier, I think Electron backported.

[cortinico]

On the backport side, we discussed this a bit and we decided to don't include a major version bump of Fresco in a patch release of React Native.

If you want to use Fresco 3.0.0 you can either:

1. Update RN to 0.73.0
2. Include the following lines in your android/app/build.gradle

...
dependencies {
    ...
+   implementation("com.facebook.fresco:fresco:3.1.3")
+   implementation("com.facebook.fresco:middleware:3.1.3")
+   implementation("com.facebook.fresco:imagepipeline-okhttp3:3.1.3")
+   implementation("com.facebook.fresco:ui-common:3.1.3")
}