New release against CVE-2023-5129?

[wegank]

The latest Linux release of Rigs of Rods is considered vulnerable to CVE-2023-5129. Specifically, the following files are suspected to contain a libwebp variant:

lib/Codec_FreeImage.so
lib/Codec_FreeImage.so.1.11.6
lib/libwebp.so.6
lib/libwebp.so.6.0.2

It would be good to know if there will soon be a new release (e.g. 2022.12.1) to fix the vulnerability.

Steps to reproduce

1. Download from https://rigs-of-rods.itch.io/rigs-of-rods.
2. Extract.
3. Check if the files above are updated.

Expected behaviour

Yes.

Actual behaviour

No.

System configuration

Additional information, logs and screenshots (optional)

[ohlidalp]

Hello.

We're planning a feature release this November/December which should also cover this issue.

Codec_FreeImage.so is part of OGRE renderer (www.ogre3d.org) which we build ourselves, we should be able to update it's dependencies. @AnotherFoxGuy knows the specifics of the build process.

[CuriousMike56]

Is libwebp required for Conan? It's only referenced here

rigs-of-rods/conanfile.py

Line 27 in 91f99be

self.requires("libwebp/1.3.0", override=True)

[AnotherFoxGuy]

I've updated libwebp in PR #3037

Is libwebp required for Conan?

It is a dependency of FreeImage, which we use to decode/load images