What IBM i Users Should Check when Learning of an Open Source Security Vulnerability

A client asked about a vulnerability found in libwebp, which is used by PHP’s image-handling gd extension.

My first step was to find a reputable source for details. According to this trusted article about the vulnerability, the issue affected only libwebp versions 1.3.1 and earlier. I checked our own system and found we had a patched version from IBM, so we were safe. The client was, too.

Here is the procedure you can use for checking the version of this or any other open source package on IBM i.

How to check your package version

The easiest way is to use the Open Source Package Management window of Access Client Solutions (ACS). The link is at or near the bottom of the left-side menu:

ACS Open Source Package Management link

After clicking the link and logging in, you should see a list of installed packages. To narrow your search to the component you want, select the View / Filter… menu option shown below:

View -> Filter…

Then type the package name you are looking for in the Package Filter input box that appears:

Filter prompt (libwebp)

After clicking OK, you will see any matching packages:

Filtered list showing libwebp7 with version number

The list showed that the libwebp package was called libwebp7, and the version was 1.3.2-1, a higher number than the vulnerable 1.3.1 version. Our version was safely patched.

If I had needed to update libwebp7, I could have clicked on Updates available and looked for a newer version.

New IBM repositories

If you do not see new versions such as I showed above, check the third column of the list. If the third column does not show the repository names ibmi-base or ibmi-release, you will need to enable them to get the latest open source updates. Enable them by clicking the Available packages tab and installing the package ibmi-repos.

For more information on IBM’s new repositories, go to https://techchannel.com/SMB/08/2022/ibm-i-rpm-repositories.