Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx

[Ken Moffat <zarniwhoop () ntlworld com>]

On Thu, Sep 28, 2023 at 11:37:23AM -0700, Alan Coopersmith wrote:
> Google has announced another media parsing bug, this time correctly documenting
> both the base library and Chrome versions affected in the CVE.
>
> https://www.cve.org/CVERecord?id=CVE-2023-5217 states:
>
>    Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to
>    117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially
>    exploit heap corruption via a crafted HTML page.
>    (Chromium security severity: High)

Does anyone know how far back libvpx is affected ?  Asking because
seamonkey-2.53.17.1 is apparently shipping a version of libvpx-1.7.0
from 2020 and I'm told it no longer builds against system
libvpx-1.13.1, although a recent version apparently built against
libvpx-1.11.0.

ĸen
-- 
  Men marched away, Vimes. And men marched back. How glorious the
  battles would have been that they never had to fight! -- Jingo