Bug 2240759 (CVE-2023-5129)

Summary: CVE-2023-5129 libwebp: out-of-bounds write with a specially crafted WebP lossless file
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED DUPLICATE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: saroy, tpopela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
This CVE ID has been rejected by its CVE Numbering Authority. Duplicate of CVE-2023-4863.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-28 09:01:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2241119, 2241120, 2241121, 2241122    
Bug Blocks: 2240760    

Description TEJ RATHI 2023-09-26 10:39:10 UTC 
With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap.

The ReadHuffmanCodes() function allocates the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use.

The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.

https://chromium.googlesource.com/webm/libwebp/+/902bc9190331343b2017211debcec8d2ab87e17a
https://chromium.googlesource.com/webm/libwebp/+/2af26267cdfcb63a88e5c74a85927a12d6ca1d76
Comment 7 Sandipan Roy 2023-09-28 06:56:33 UTC 
Created chromium tracking bugs for this issue:

Affects: epel-all [bug 2241119]
Affects: fedora-all [bug 2241120]


Created firefox tracking bugs for this issue:

Affects: fedora-all [bug 2241122]


Created libwebp tracking bugs for this issue:

Affects: fedora-all [bug 2241121]
Comment 8 Sandipan Roy 2023-09-28 08:19:59 UTC 
RHEL-7 Erratas:
https://access.redhat.com/errata/RHSA-2023:5197
https://access.redhat.com/errata/RHSA-2023:5191

RHEL-8 Erratas:
https://access.redhat.com/errata/RHSA-2023:5184
https://access.redhat.com/errata/RHSA-2023:5183
https://access.redhat.com/errata/RHSA-2023:5192
https://access.redhat.com/errata/RHSA-2023:5198
https://access.redhat.com/errata/RHSA-2023:5187
https://access.redhat.com/errata/RHSA-2023:5236
https://access.redhat.com/errata/RHSA-2023:5222
https://access.redhat.com/errata/RHSA-2023:5189
https://access.redhat.com/errata/RHSA-2023:5190
https://access.redhat.com/errata/RHSA-2023:5309
https://access.redhat.com/errata/RHSA-2023:5202
https://access.redhat.com/errata/RHSA-2023:5201
https://access.redhat.com/errata/RHSA-2023:5188
https://access.redhat.com/errata/RHSA-2023:5186
https://access.redhat.com/errata/RHSA-2023:5185

RHEL-9 Erratas:
https://access.redhat.com/errata/RHSA-2023:5200
https://access.redhat.com/errata/RHSA-2023:5205
https://access.redhat.com/errata/RHSA-2023:5204
https://access.redhat.com/errata/RHSA-2023:5214
https://access.redhat.com/errata/RHSA-2023:5224
https://access.redhat.com/errata/RHSA-2023:5223
Comment 9 Sandipan Roy 2023-09-28 09:14:38 UTC 

*** This bug has been marked as a duplicate of bug 2238431 ***