oss-sec mailing list archives
Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx
From: Ken Moffat <zarniwhoop () ntlworld com>
Date: Sun, 1 Oct 2023 19:20:11 +0100
On Thu, Sep 28, 2023 at 11:37:23AM -0700, Alan Coopersmith wrote:
Google has announced another media parsing bug, this time correctly documenting both the base library and Chrome versions affected in the CVE. https://www.cve.org/CVERecord?id=CVE-2023-5217 states: Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Does anyone know how far back libvpx is affected ? Asking because seamonkey-2.53.17.1 is apparently shipping a version of libvpx-1.7.0 from 2020 and I'm told it no longer builds against system libvpx-1.13.1, although a recent version apparently built against libvpx-1.11.0. ĸen -- Men marched away, Vimes. And men marched back. How glorious the battles would have been that they never had to fight! -- Jingo
Current thread:
- Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx Ken Moffat (Oct 01)