Bug#1051786: marked as done (CVE-2023-4863: Heap buffer overflow in WebP)

Thu, 14 Sep 2023 14:27:17 -0700 

Your message dated Thu, 14 Sep 2023 21:22:29 +0000
with message-id <e1qgtnb-00815u...@fasolo.debian.org>
and subject line Bug#1051786: fixed in libwebp 1.2.4-0.3
has caused the Debian Bug report #1051786,
regarding CVE-2023-4863: Heap buffer overflow in WebP
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1051786: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051786
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Subject: CVE-2023-4863: Heap buffer overflow in WebP
Package: chromium
Version: 116.0.5845.180-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>



On Tue, Sep 12, 2023 at 9:07 AM Jeffrey Cliff <jeffrey.cl...@gmail.com> wrote:
>
> Dear Maintainer,
>
> 116.0.5845.187 fixes a critical remote vulnerability in chrome
>
> [$NA][1479274] Critical CVE-2023-4863: Heap buffer overflow in WebP.
> Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen
> Lab at The University of Torontoʼs Munk School on 2023-09-06
>
> https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
>
> Might want to look into this at least
>
> Jeff Cliff
>
>
> -- System Information:
> Debian Release: trixie/sid
>   APT prefers unstable-debug
>   APT policy: (500, 'unstable-debug'), (500, 'stable-debug'), (500,
> 'oldstable-debug')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 6.5.0-gnulibre (SMP w/2 CPU threads; PREEMPT)
> Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
> LANGUAGE=en_CA:en
> Shell: /bin/sh linked to /usr/bin/dash
> Init: sysvinit (via /sbin/init)
> LSM: AppArmor: enabled
>
>
> Versions of packages chromium depends on:
> pn  chromium-common        <none>
> ii  libasound2             1.2.9-2
> ii  libatk-bridge2.0-0     2.49.91-2
> ii  libatk1.0-0            2.49.91-2
> ii  libatomic1             13.2.0-3
> ii  libatspi2.0-0          2.49.91-2
> ii  libbrotli1             1.0.9-2+b6
> ii  libc6                  2.37-7
> ii  libcairo2              1.17.8-3
> ii  libcups2               2.4.2-5
> ii  libdbus-1-3            1.14.10-1devuan1
> ii  libdouble-conversion3  3.3.0-1
> ii  libdrm2                2.4.115-1
> ii  libevent-2.1-7         2.1.12-stable-8
> ii  libexpat1              2.5.0-2
> ii  libflac12              1.4.3+ds-2
> ii  libfontconfig1         2.14.2-5
> ii  libfreetype6           2.13.2+dfsg-1
> ii  libgbm1                23.1.7-1
> ii  libgcc-s1              13.2.0-3
> ii  libglib2.0-0           2.77.3-1
> ii  libgtk-3-0             3.24.38-4
> ii  libjpeg62-turbo        1:2.1.5-2
> ii  libjsoncpp25           1.9.5-6
> ii  liblcms2-2             2.14-2
> ii  libminizip1            1:1.2.13.dfsg-3
> ii  libnspr4               2:4.35-1.1
> ii  libnss3                2:3.92-1
> pn  libopenh264-7          <none>
> ii  libopenjp2-7           2.5.0-2
> ii  libopus0               1.4-1
> ii  libpango-1.0-0         1.51.0+ds-2
> ii  libpng16-16            1.6.40-1
> ii  libpulse0              16.1+dfsg1-2+b1
> ii  libsnappy1v5           1.1.10-1
> ii  libstdc++6             13.2.0-3
> ii  libwebp7               1.2.4-0.2
> ii  libwebpdemux2          1.2.4-0.2
> ii  libwebpmux3            1.2.4-0.2
> ii  libwoff1               1.0.2-2
> ii  libx11-6               2:1.8.6-1
> ii  libxcb1                1.15-1
> ii  libxcomposite1         1:0.4.5-1
> ii  libxdamage1            1:1.1.6-1
> ii  libxext6               2:1.3.4-1+b1
> ii  libxfixes3             1:6.0.0-2
> ii  libxkbcommon0          1.5.0-1
> ii  libxml2                2.9.14+dfsg-1.3
> ii  libxnvctrl0            525.125.06-1
> ii  libxrandr2             2:1.5.2-2+b1
> ii  libxslt1.1             1.1.35-1
> ii  zlib1g                 1:1.2.13.dfsg-3
>
> Versions of packages chromium recommends:
> pn  chromium-sandbox  <none>
>
> Versions of packages chromium suggests:
> pn  chromium-driver  <none>
> pn  chromium-l10n    <none>
> pn  chromium-shell   <none>



-- 
------------------------------------------------------------------------------------------------
End the campaign to Cancel Richard Stallman - go to stallmansupport.org !
------------------------------------------------------------------------------------------------

--- End Message ---
--- Begin Message --- 
Source: libwebp
Source-Version: 1.2.4-0.3
Done: Gianfranco Costamagna <locutusofb...@debian.org>

We believe that the bug you reported is fixed in the latest version of
libwebp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1051...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gianfranco Costamagna <locutusofb...@debian.org> (supplier of updated libwebp 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 14 Sep 2023 17:44:43 +0200
Source: libwebp
Built-For-Profiles: noudeb
Architecture: source
Version: 1.2.4-0.3
Distribution: unstable
Urgency: medium
Maintainer: Jeff Breidenbach <j...@debian.org>
Changed-By: Gianfranco Costamagna <locutusofb...@debian.org>
Closes: 1051786
Changes:
 libwebp (1.2.4-0.3) unstable; urgency=medium
 .
   * Non-maintainer upload
 .
   [ Marc Deslauriers ]
   * SECURITY UPDATE: Heap buffer overflow in BuildHuffmanTable
     - debian/patches/CVE-2023-4863.patch: fix OOB write in
       BuildHuffmanTable in src/dec/vp8l_dec.c, src/dec/vp8li_dec.h,
       src/utils/huffman_utils.c, src/utils/huffman_utils.h.
     - CVE-2023-4863 (Closes: #1051786)
Checksums-Sha1:
 ae376370cf5af552dae5f4bacd56462998966e44 2379 libwebp_1.2.4-0.3.dsc
 024945f296f435689a3f866a6aac74e0ed50a4a5 12004 libwebp_1.2.4-0.3.debian.tar.xz
 83168a2c666b48f00c89f8a9218bc4bcacb65d47 8332 
libwebp_1.2.4-0.3_source.buildinfo
Checksums-Sha256:
 822a6258c3d41b875a60e709c46cf739c55047b4b6d0e1541c5432a4fe445ec8 2379 
libwebp_1.2.4-0.3.dsc
 e2196110d735d4020feefa38ca28abc6e87a3998c0ce9645dbc8745ac64dc20d 12004 
libwebp_1.2.4-0.3.debian.tar.xz
 2726c5aef385361ea9ada8e518073f22c98ffbbffff2e733745d0ab13b4faac2 8332 
libwebp_1.2.4-0.3_source.buildinfo
Files:
 7f4d117d960f22180d0ca71da228554c 2379 libs optional libwebp_1.2.4-0.3.dsc
 5e73b5b54e7e3f95350c56fe095a5544 12004 libs optional 
libwebp_1.2.4-0.3.debian.tar.xz
 a1b5290e27af3d4f7016423c2673b7dc 8332 libs optional 
libwebp_1.2.4-0.3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAmUDKssACgkQ808JdE6f
XdnvZg//cIjSJTR7EB9bg4w2TuiIrO/S4gu27YBv2f81IE1ov7sa+44tMEbpKElx
wtQw4hI16JiwiE3FLOjAZ5JmW2ylTZ4pTachsewP19Lww351go9hlLlHv7ZqiL7F
1+YqycVuL3m50VAyN2lKIMbD+Y6wQnJeqhjvGkE6gFNIAx+Q4zLPY1rw+qXWIhpo
WIYZzMyrtGJtC/BrIdb+m4XvXjIiqzbMULT/SmbziRfQOFmtXN8aHUD9LqcFjAKC
EfvT7JWBbpPt2Z0G7vIsEvzFrdRkwvfiXqW+DfLK+/uh4uDHtZBa+tcpkgvVRoeF
j4VOWkMYx354E3RT82yYvyp+kescXNK8sg6+HwkjdHtP68I7rP257KjX2fIJ/y35
TTNNs98ujZPDP+EApeKEt+JhaZ8OP8Fs0O4xuaoo9h+ad6bQWJwSHpwxmh6xjGa9
ZmZ0Kyue+gtxSolrWp4g4nT2j6CYcqWRM1G1wnUh8knhMnbpz6fVb9IQdo24RAS4
Eha6sCeHJ7mGZ9rH2SeJcRwc6sGiVvwMnjkqZnJIQQ1X3A9YgZwsDeA9ze/v2/eN
uDNIDr8UcHw3d1vdbUtrqq1grCFNfCiOkfJjaFX+sBkKxZtD5y/wHuSLQZcq526Z
iRqve+DIU2eSxATofKhmFBHNxjUfsdNFcoeAPmdksiwAV4TUhEA=
=TYMj
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to