The vulnerability is fixed within pict-rs, which is part of lemmy instance default setup. It's such a coincidence that I've just updated it on mine.
TL;DR - it is not up to liftoff to fix it.
Oh that's interesting. I thought it would be through the app, since the article mentioned being patched in browsers; so that's definitely good to know.
https://blog.isosceles.com/the-webp-0day
tldr: libwebp has been patched and will eventually make its way to everyone. This is not an easy exploit and unless you're at the level of a nation state target, don't worry about it.
I must disagree. The information is public and there are many sources that describe how to construct such a file that can trigger the heap buffer overflow. You don't need to understand all the theory to cause the overflow.
I don't think it's that complicated. I'm sure it will be used as an N-day for a long time.
The key to effective exploitation is learning to understand deeply only those parts that require deep understanding.
A mobile client for Lemmy running on iOS and Android