Bug 2240759 (CVE-2023-5129) - CVE-2023-5129 libwebp: out-of-bounds write with a specially crafted WebP lossless file
Summary: CVE-2023-5129 libwebp: out-of-bounds write with a specially crafted WebP loss...
Keywords:
Status: CLOSED DUPLICATE of bug 2238431
Alias: CVE-2023-5129
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2241119 2241120 2241121 2241122
Blocks: 2240760
TreeView+ depends on / blocked
 
Reported: 2023-09-26 10:39 UTC by TEJ RATHI
Modified: 2023-10-09 19:13 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
This CVE ID has been rejected by its CVE Numbering Authority. Duplicate of CVE-2023-4863.
Clone Of:
Environment:
Last Closed: 2023-09-28 09:01:32 UTC
Embargoed:

Attachments (Terms of Use)

Description TEJ RATHI 2023-09-26 10:39:10 UTC 
With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap.

The ReadHuffmanCodes() function allocates the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use.

The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.

https://chromium.googlesource.com/webm/libwebp/+/902bc9190331343b2017211debcec8d2ab87e17a
https://chromium.googlesource.com/webm/libwebp/+/2af26267cdfcb63a88e5c74a85927a12d6ca1d76
Comment 7 Sandipan Roy 2023-09-28 06:56:33 UTC 
Created chromium tracking bugs for this issue:

Affects: epel-all [bug 2241119]
Affects: fedora-all [bug 2241120]


Created firefox tracking bugs for this issue:

Affects: fedora-all [bug 2241122]


Created libwebp tracking bugs for this issue:

Affects: fedora-all [bug 2241121]
Comment 8 Sandipan Roy 2023-09-28 08:19:59 UTC 
RHEL-7 Erratas:
https://access.redhat.com/errata/RHSA-2023:5197
https://access.redhat.com/errata/RHSA-2023:5191

RHEL-8 Erratas:
https://access.redhat.com/errata/RHSA-2023:5184
https://access.redhat.com/errata/RHSA-2023:5183
https://access.redhat.com/errata/RHSA-2023:5192
https://access.redhat.com/errata/RHSA-2023:5198
https://access.redhat.com/errata/RHSA-2023:5187
https://access.redhat.com/errata/RHSA-2023:5236
https://access.redhat.com/errata/RHSA-2023:5222
https://access.redhat.com/errata/RHSA-2023:5189
https://access.redhat.com/errata/RHSA-2023:5190
https://access.redhat.com/errata/RHSA-2023:5309
https://access.redhat.com/errata/RHSA-2023:5202
https://access.redhat.com/errata/RHSA-2023:5201
https://access.redhat.com/errata/RHSA-2023:5188
https://access.redhat.com/errata/RHSA-2023:5186
https://access.redhat.com/errata/RHSA-2023:5185

RHEL-9 Erratas:
https://access.redhat.com/errata/RHSA-2023:5200
https://access.redhat.com/errata/RHSA-2023:5205
https://access.redhat.com/errata/RHSA-2023:5204
https://access.redhat.com/errata/RHSA-2023:5214
https://access.redhat.com/errata/RHSA-2023:5224
https://access.redhat.com/errata/RHSA-2023:5223
Comment 9 Sandipan Roy 2023-09-28 09:14:38 UTC 

*** This bug has been marked as a duplicate of bug 2238431 ***
Note You need to log in before you can comment on or make changes to this bug.