Tuesday, September 12, 2023

WebP chemspill patch on Github

A fix is in the TenFourFox tree for MFSA 2023-40, a/k/a CVE-2023-4863, which is a heap overflow in the WebP image decoder. Firefox 45 would not ordinarily be vulnerable to this but we have our own basic WebP decoder using Google's library, so we are technically exploitable as well. I was working on a fix of my own but the PM27 fix that roytam1 cherrypicked is cleaner, so I've added that patch and one two (a followup was needed) more for correctness. Although this issue is currently being exploited in the wild, it would require a PowerPC-specific attack to be successful on a Power Mac. You do not need to clobber to update your build.


  1. got a crash when visiting wikipedia, and found a missing patch: https://github.com/roytam1/mozilla45esr/commit/ad4ba6ecd5c2cc9b9e9ae755528dcf304b1ac837

  2. and finally a nitpicking commit: https://github.com/roytam1/mozilla45esr/commit/53eda93e4ab6a1ddc33c8006e2b02ed86c79f4a1
    hope this is really the end for that CVE.

  3. and now there is a VP8 encoder bug with CVE score 10.0: https://github.com/roytam1/mozilla45esr/commit/69f77fc6e3f0f1245c40c9bc0fa06402f4724045


Due to an increased frequency of spam, comments are now subject to moderation.