oss-sec mailing list archives
Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec
From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Fri, 22 Sep 2023 07:42:22 -0400
On 2023-09-22 01:28, Hanno Böck wrote:
On Thu, 21 Sep 2023 22:52:50 +0200 Solar Designer <solar () openwall com> wrote:However, another maybe-important one also made it into 1.3.2: commit 95ea5226c870449522240ccff26f0b006037c520 Author: Vincent Rabaud <vrabaud () google com> Date: Mon Sep 11 16:06:08 2023 +0200 Fix invalid incremental decoding check.It does not look to me that this fix is in 1.3.2: https://github.com/webmproject/libwebp/commits/v1.3.2 I've seen this commit as well and have been wondering for a few days if we'll hear about abother libwebp issue soon.
We (Ubuntu) didn't include that second commit in our libwebp updates, and I don't believe Red Hat/Fedora did either. If that second commit does have a security impact, it probably needs a different CVE to clear up confusion.
Marc.
Current thread:
- CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Solar Designer (Sep 21)
- Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Hanno Böck (Sep 21)
- Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Solar Designer (Sep 22)
- Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Vincent Rabaud (Sep 22)
- Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Solar Designer (Sep 22)
- Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Vincent Rabaud (Sep 22)
- Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Solar Designer (Sep 22)
- Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Hanno Böck (Sep 21)
- Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Marc Deslauriers (Sep 22)
- Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Rodrigo Freire (Sep 22)
- Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Solar Designer (Sep 26)
- Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Salvatore Bonaccorso (Sep 28)
- Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Jeffrey Walton (Sep 28)
- Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Emilio Pozuelo Monfort (Sep 28)