Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2023-5222-01

Red Hat Security Advisory 2023-5222-01 - The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format. Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently. Issues addressed include a buffer overflow vulnerability.

Packet Storm
#vulnerability#web#linux#red_hat#git#java#buffer_overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: libwebp security update
Advisory ID: RHSA-2023:5222-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5222
Issue date: 2023-09-19
CVE Names: CVE-2023-4863
====================================================================

  1. Summary:

An update for libwebp is now available for Red Hat Enterprise Linux 8.4
Advanced Mission Critical Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v.8.4) - x86_64

  1. Description:

The libwebp packages provide a library and tools for the WebP graphics
format. WebP is an image format with a lossy compression of digital
photographic images. WebP consists of a codec based on the VP8 format, and
a container based on the Resource Interchange File Format (RIFF).
Webmasters, web developers and browser developers can use WebP to compress,
archive, and distribute digital images more efficiently.

Security Fix(es):

  • libwebp: Heap buffer overflow in WebP Codec (CVE-2023-4863)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

  1. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

  1. Bugs fixed (https://bugzilla.redhat.com/):

2238431 - CVE-2023-4863 libwebp: Heap buffer overflow in WebP Codec

  1. Package List:

Red Hat Enterprise Linux AppStream AUS (v.8.4):

Source:
libwebp-1.0.0-7.el8_4.1.src.rpm

x86_64:
libwebp-1.0.0-7.el8_4.1.i686.rpm
libwebp-1.0.0-7.el8_4.1.x86_64.rpm
libwebp-debuginfo-1.0.0-7.el8_4.1.i686.rpm
libwebp-debuginfo-1.0.0-7.el8_4.1.x86_64.rpm
libwebp-debugsource-1.0.0-7.el8_4.1.i686.rpm
libwebp-debugsource-1.0.0-7.el8_4.1.x86_64.rpm
libwebp-devel-1.0.0-7.el8_4.1.i686.rpm
libwebp-devel-1.0.0-7.el8_4.1.x86_64.rpm
libwebp-java-debuginfo-1.0.0-7.el8_4.1.i686.rpm
libwebp-java-debuginfo-1.0.0-7.el8_4.1.x86_64.rpm
libwebp-tools-debuginfo-1.0.0-7.el8_4.1.i686.rpm
libwebp-tools-debuginfo-1.0.0-7.el8_4.1.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2023-4863
https://access.redhat.com/security/updates/classification/#important

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJlCWlpAAoJENzjgjWX9erElWkQAIQXk79Sptb9cKtv164Y75LC
ukKxnYUkVb+cZNhua8hLPKM+RgC7MDJa/B6uoed8WSmvOxqynUCmWHoWQkr+YMyy
LGbwo7Ygbyren0XaKglpQqvB6giFCYiSr2VEhzyZblTFdu8aLokEaulhCYoAWoXK
2U7yXBZGj4ADpWVKrawcTn4yj50icHssnXXFOLgO22QQbBu90tJAsX8qD6h6q3HG
VzugIkUQ6dQr1gbysO6MMWt3fDbpejZZ/VanERR8zR1646EvQiGt8fisOOhJxaU1
X4Hm0M/JIxDdTz7FRWhMRWMx0ZwUQDjhiIo3FIyjeC3FpjA7pyZPxyAyivVhJLs/
9bRNy3jRfAbHpO8Vk6R4pcc6f+DVmT865OyuFRMFdHbukDwycP7E6xFtDooVoUOQ
6/1PIGq4Y7Kzs5M2iJgHdU1cwGaAt6bP8naSaaI/wTVKG3ype+hDNUUaLSiPPeCW
2+6gzli/X1++8jNX1vW21A04NRpA+6hMZCwQkNLLMvfnlBgmcF3kKwzSZ8AueS16
vfZoyofhH90qybrLQ12gvGsDhwm6033fAfxtSQuQEd49d30lmoTohRLQ+bp+ITj2
uHN3Hq++j+XLkUWq49NSN4fghbAs3beUsrJkwi/jk25e2YcuBpy+QFd8HnZs7d+z
QbKawBqEyOtEtP45QM3A
=IqUq
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

Google Fixes a Seventh Zero-Day Flaw in Chrome—Update Now

Plus: Major security patches from Microsoft, Mozilla, Atlassian, Cisco, and more.

Fantom Foundation Suffers Wallet Hack Via Google Chrome 0-Day Flaw

By Waqas The Fantom Foundation has acknowledged the breach and is currently conducting an investigation after hackers managed to steal more than $550,000 in cryptocurrency. This is a post from HackRead.com Read the original post: Fantom Foundation Suffers Wallet Hack Via Google Chrome 0-Day Flaw

Update your Android devices now! Google patches two actively exploited vulnerabilities

Categories: Android Categories: News Tags: Google Tags: Android Tags: Qualcomm Tags: webp Tags: ARM Mali Tags: cve-2023-4863 Tags: cve-2023-4211 Tags: cve-2023-33106 Tags: cve-2023-33107 Tags: cve-2023-22071 Tags: cve-2023-33063 Tags: 2023-10-006 Tags: patch level Google has patched 53 vulnerabilities in its Android October security updates, two of which are known to be actively exploited. (Read more...) The post Update your Android devices now! Google patches two actively exploited vulnerabilities appeared first on Malwarebytes Labs.

Apple, Microsoft, and Google Just Fixed Multiple Zero-Day Flaws

Plus: Mozilla patches 10 Firefox bugs, Cisco fixes a vulnerability with a rare maximum severity score, and SAP releases updates to stamp out three highly critical flaws.

Ubuntu Security Notice USN-6369-2

Ubuntu Security Notice 6369-2 - USN-6369-1 fixed a vulnerability in libwebp. This update provides the corresponding update for Ubuntu 18.04 LTS. It was discovered that libwebp incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image file, a remote attacker could use this issue to cause libwebp to crash, resulting in a denial of service, or possibly execute arbitrary code.

Red Hat Security Advisory 2023-5309-01

Red Hat Security Advisory 2023-5309-01 - The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format. Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently. Issues addressed include a buffer overflow vulnerability.

RHSA-2023:5224: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4863: A heap-based buffer flaw was found in the way libwebp, a library used to process "WebP" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.

RHSA-2023:5201: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4863: A heap-based buffer flaw was found in the way libwebp, a library used to process "WebP" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.

RHSA-2023:5202: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4863: A heap-based buffer flaw was found in the way libwebp, a library used to process "WebP" image format data, processes certain specially formatted WebP images. An attacker could use this flaw to crash or execute remotely arbitrary code in an application such as a web browser compiled with this library.

Debian Security Advisory 5497-2

Debian Linux Security Advisory 5497-2 - A buffer overflow in parsing WebP images may result in the execution of arbitrary code.

RHSA-2023:5190: Red Hat Security Advisory: libwebp security update

An update for libwebp is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4863: A heap-based buffer flaw was found in the way libwebp, a library used to process "WebP" image format data, processes certain specially formatted WebP images. An attacker could use this flaw ...

Ubuntu Security Notice USN-6369-1

Ubuntu Security Notice 6369-1 - It was discovered that libwebp incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image file, a remote attacker could use this issue to cause libwebp to crash, resulting in a denial of service, or possibly execute arbitrary code.

Ubuntu Security Notice USN-6368-1

Ubuntu Security Notice 6368-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. It was discovered that Thunderbird did not properly manage memory when handling WebP images. If a user were tricked into opening a malicious WebP image file, an attacker could potentially exploit these to cause a denial of service or execute arbitrary code.

Mozilla Rushes to Patch WebP Critical Zero-Day Exploit in Firefox and Thunderbird

Mozilla on Tuesday released security updates to resolve a critical zero-day vulnerability in Firefox and Thunderbird that has been actively exploited in the wild, a day after Google released a fix for the issue in its Chrome browser. The shortcoming, assigned the identifier CVE-2023-4863, is a heap buffer overflow flaw in the WebP image format that could result in arbitrary code execution when

CVE-2023-4863

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Update Chrome now! Google patches critical vulnerability being exploited in the wild

Categories: Exploits and vulnerabilities Categories: News Tags: Google Tags: Chrome Tags: CVE-2023-4863 Tags: WebP Tags: buffer overflow Tags: 116.0.5845.187/.188 Chrome users are being urged to patch a critical vulnerability for which an exploit is available. (Read more...) The post Update Chrome now! Google patches critical vulnerability being exploited in the wild appeared first on Malwarebytes Labs.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution