2240759 – (CVE-2023-5129) CVE-2023-5129 libwebp: out-of-bounds write with a specially crafted WebP lossless file

Bug 2240759 (CVE-2023-5129) - CVE-2023-5129 libwebp: out-of-bounds write with a specially crafted WebP lossless file

Summary: CVE-2023-5129 libwebp: out-of-bounds write with a specially crafted WebP loss...

Keywords:
Status:	CLOSED DUPLICATE of bug 2238431
Alias:	CVE-2023-5129
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2241119 2241120 2241121 2241122
Blocks:	2240760
TreeView+	depends on / blocked

Reported:	2023-09-26 10:39 UTC by TEJ RATHI
Modified:	2023-10-09 19:13 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	This CVE ID has been rejected by its CVE Numbering Authority. Duplicate of CVE-2023-4863.
Clone Of:
Environment:
Last Closed:	2023-09-28 09:01:32 UTC
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2023-09-26 10:39:10 UTC

With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap.

The ReadHuffmanCodes() function allocates the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use.

The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.

https://chromium.googlesource.com/webm/libwebp/+/902bc9190331343b2017211debcec8d2ab87e17a
https://chromium.googlesource.com/webm/libwebp/+/2af26267cdfcb63a88e5c74a85927a12d6ca1d76

Comment 7 Sandipan Roy 2023-09-28 06:56:33 UTC

Created chromium tracking bugs for this issue:

Affects: epel-all [bug 2241119]
Affects: fedora-all [bug 2241120]


Created firefox tracking bugs for this issue:

Affects: fedora-all [bug 2241122]


Created libwebp tracking bugs for this issue:

Affects: fedora-all [bug 2241121]

Comment 8 Sandipan Roy 2023-09-28 08:19:59 UTC

RHEL-7 Erratas:
https://access.redhat.com/errata/RHSA-2023:5197
https://access.redhat.com/errata/RHSA-2023:5191

RHEL-8 Erratas:
https://access.redhat.com/errata/RHSA-2023:5184
https://access.redhat.com/errata/RHSA-2023:5183
https://access.redhat.com/errata/RHSA-2023:5192
https://access.redhat.com/errata/RHSA-2023:5198
https://access.redhat.com/errata/RHSA-2023:5187
https://access.redhat.com/errata/RHSA-2023:5236
https://access.redhat.com/errata/RHSA-2023:5222
https://access.redhat.com/errata/RHSA-2023:5189
https://access.redhat.com/errata/RHSA-2023:5190
https://access.redhat.com/errata/RHSA-2023:5309
https://access.redhat.com/errata/RHSA-2023:5202
https://access.redhat.com/errata/RHSA-2023:5201
https://access.redhat.com/errata/RHSA-2023:5188
https://access.redhat.com/errata/RHSA-2023:5186
https://access.redhat.com/errata/RHSA-2023:5185

RHEL-9 Erratas:
https://access.redhat.com/errata/RHSA-2023:5200
https://access.redhat.com/errata/RHSA-2023:5205
https://access.redhat.com/errata/RHSA-2023:5204
https://access.redhat.com/errata/RHSA-2023:5214
https://access.redhat.com/errata/RHSA-2023:5224
https://access.redhat.com/errata/RHSA-2023:5223

Comment 9 Sandipan Roy 2023-09-28 09:14:38 UTC


*** This bug has been marked as a duplicate of bug 2238431 ***

Note You need to log in before you can comment on or make changes to this bug.