oss-sec mailing list archives
Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx
From: Shawn Webb <shawn.webb () hardenedbsd org>
Date: Fri, 29 Sep 2023 16:24:15 -0400
On Thu, Sep 28, 2023 at 04:42:33PM -0400, Demi Marie Obenour wrote:
On Thu, Sep 28, 2023 at 11:37:23AM -0700, Alan Coopersmith wrote:Google has announced another media parsing bug, this time correctly documenting both the base library and Chrome versions affected in the CVE. https://www.cve.org/CVERecord?id=CVE-2023-5217 states: Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Unfortunately, the bug report it points to is restricted access still: https://crbug.com/1486441 But the Chrome release notes state: Google is aware that an exploit for CVE-2023-5217 exists in the wild. https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html Mozilla has put out their own security advisory at https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/ and delivered fixes in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox Focus for Android 118.1, and Firefox for Android 118.1. https://bugzilla.mozilla.org/show_bug.cgi?id=1855550 is also still restricted access. It does not appear that libvpx 1.13.1 has been released yet, but there are two commits in its git repo with the 1486441 bug id listed: https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590 https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282 Mozilla's commit references these two libvpx commit ids as well: https://hg.mozilla.org/mozilla-central/rev/c53f5ef77b62b79af86951a7f9130e1896b695d2How long will it take for corporations to accept that writing media codecs in C, C++, or any other memory-unsafe language is a fundamentally bad idea, and that it is better to rewrite the codecs in a safe language (such as Wuffs or Rust) than to try to secure the existing ones?
$ git clone https://chromium.googlesource.com/webm/libvpx $ cd libvpx $ git log --reverse commit 0ea50ce9cb4b65eee6afa1d041fe8beb5abda667 (tag: v0.9.0) Author: John Koleszar <jkoleszar () google com> Date: Tue May 18 11:58:33 2010 -0400 Initial WebM release I think this might predate Rust. I wonder how many technical folk would welcome alternative implementations of various popular libraries. I especially am grateful for those who advocate for, and help advance, software diversity. Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Attachment:
signature.asc
Description:
Current thread:
- Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx, (continued)
- Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx nightmare . yeah27 (Sep 29)
- Re: Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx Demi Marie Obenour (Sep 29)
- Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx Michael Orlitzky (Sep 29)
- Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx Travis Finkenauer (Sep 29)
- Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx Michael Orlitzky (Sep 29)
- Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Dominique Martinet (Sep 30)
- Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Demi Marie Obenour (Sep 30)
- Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Michael Orlitzky (Sep 30)
- Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Steffen Nurpmeso (Sep 30)
- Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx nightmare . yeah27 (Sep 29)