Headline
CVE-2023-5129
With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap.
The ReadHuffmanCodes() function allocates the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use.
The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.
)]}’ { "commit": "902bc9190331343b2017211debcec8d2ab87e17a", "tree": "4f26b537e953ef6ba3d465ea96f30eedbac8737e", "parents": [ “7ba44f80f3b94fc0138db159afea770ef06532a0” ], "author": { "name": "Vincent Rabaud", "email": "[email protected]", "time": “Thu Sep 07 19:16:03 2023” }, "committer": { "name": "Vincent Rabaud", "email": "[email protected]", "time": “Thu Sep 07 19:16:03 2023” }, "message": "Fix OOB write in BuildHuffmanTable.\n\nFirst, BuildHuffmanTable is called to check if the data is valid.\nIf it is and the table is not big enough, more memory is allocated.\n\nThis will make sure that valid (but unoptimized because of unbalanced\ncodes) streams are still decodable.\n\nBug: chromium:1479274\nChange-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741\n", "tree_diff": [ { "type": "modify", "old_id": "4501216298b34662010af4a1c950b1d087966bef", "old_mode": 33188, "old_path": "src/dec/vp8l_dec.c", "new_id": "5ab34f56cd83347bc7442570434931e8210f3c3a", "new_mode": 33188, "new_path": “src/dec/vp8l_dec.c” }, { "type": "modify", "old_id": "72b2e861208447f45e5ee12eac57b9c36ff2cd31", "old_mode": 33188, "old_path": "src/dec/vp8li_dec.h", "new_id": "32540a4b88a05cc74b88f11da3f143e83be81c9c", "new_mode": 33188, "new_path": “src/dec/vp8li_dec.h” }, { "type": "modify", "old_id": "90c2fbf7c18c79ccb3597fe7cbbc332dbd1b2548", "old_mode": 33188, "old_path": "src/utils/huffman_utils.c", "new_id": "cf73abd437d02173f43c61c8877a5f467997774a", "new_mode": 33188, "new_path": “src/utils/huffman_utils.c” }, { "type": "modify", "old_id": "13b7ad1ac40c5316f5506d9b4cbf5039c9fd5600", "old_mode": 33188, "old_path": "src/utils/huffman_utils.h", "new_id": "98415c532895374ea28fc1dc5c9a15c751ea9ba0", "new_mode": 33188, "new_path": “src/utils/huffman_utils.h” } ] }
Related news
Gentoo Linux Security Advisory 202401-10 - Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could lead to remote code execution. Versions greater than or equal to 115.6.0:esr are affected.
Red Hat Security Advisory 2023-5447-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.
The Migration Toolkit for Containers (MTC) 1.8.0 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-26115: A flaw was found in the Node.js word-wrap module, where it is vulnerable to a denial of service caused by a Regular expression denial of service (ReDoS) issue in the result variable. By sending a specially crafted regex input, a remote attacker can cause a denial of service.
Plus: Mozilla patches 10 Firefox bugs, Cisco fixes a vulnerability with a rare maximum severity score, and SAP releases updates to stamp out three highly critical flaws.
Two notable vulnerabilities in Google Chrome should be patched asap, and an allegedly new ransomware-as-a-service group.
Google on Wednesday rolled out fixes to address a new actively exploited zero-day in the Chrome browser. Tracked as CVE-2023-5217, the high-severity vulnerability has been described as a heap-based buffer overflow in the VP8 compression format in libvpx, a free software video codec library from Google and the Alliance for Open Media (AOMedia). Exploitation of such buffer overflow flaws can
Google has assigned a new CVE identifier for a critical security flaw in the libwebp image library for rendering images in the WebP format that has come under active exploitation in the wild. Tracked as CVE-2023-5129, the issue has been given the maximum severity score of 10.0 on the CVSS rating system. It has been described as an issue rooted in the Huffman coding algorithm - With a specially