More than 14 weeks pasted since Apple Product Security team reported the issue affecting WebP open source project to Google, in follow up to the BLASTPASS iOS exploit that was discovered in the wild by CitizenLab and discussed in September. This means that the email chain is now public as of December 14, 2023. We also learn that that Brotli compression algorithm almost got impacted by the same issue (c.f. BrotliBuildHuffmanTable) but the shape of Huffman tree is checked before actual lookup t...
