What version of libwebp does Boost use and if it is currently vulnerable, when can we expect an update to fix this issue? The affected versions of libwebp are 0.5.0 to 1.3.1.
That’s provided through Android itself. Just update your phone and you’ll be good.
Ah ok, I’ll just stop using Boost until the October pixel update rolls out then
You should stop using your phone entirely if you’re that worried.
The vast majority of apps use the Android Web View component. No point in rolling their own, really.
Depending on where the library lives in the Android ecosystem the update could be pushed by the play store framework as part of it’s self-update capability or it could be pushed by the OEM with the next system OTA. If it’s part of a system update you’re at the mercy of the OEM’s OTA schedule, Samsung hasn’t pushed anything for my tablet in like 8mo, same for my OnePlus phone before the update this week.
Based on this discussion here (https://news.ycombinator.com/item?id=37658635) it sounds like we’re all waiting for an OEM OTA, for some reason the video codecs are rolled into the play framework’s updates but not the image decoding libraries.
People running LineageOS and other AOSP based firmwares should be covered after their ROMs integrate the next month security patch.
That’s dependent on carriers in a fair few cases or phone manufacturers in others. A lot of budget phones don’t get timely security patches.
