ALT-PU-2023-4066-1

Package update libwebp in branch sisyphus_mipsel

Version1.3.1-alt1

Task#0

Published2023-06-29

Max severityHIGH

Severity:

Closed issues (2)

HIGH7.5

Уязвимость функции EncodeAlphaInternal() библиотеки libwebp для кодирования и декодирования изображений в формате WebP браузеров Mozilla Firefox, Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2023-05-31Modified: 2025-09-05

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.6

CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:C/A:C

References

CVE-2023-1999

HIGH7.5

There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free.

Published: 2023-06-20Modified: 2025-02-13

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References