Tuesday, September 12, 2023

WebP chemspill patch on Github

A fix is in the TenFourFox tree for MFSA 2023-40, a/k/a CVE-2023-4863, which is a heap overflow in the WebP image decoder. Firefox 45 would not ordinarily be vulnerable to this but we have our own basic WebP decoder using Google's library, so we are technically exploitable as well. I was working on a fix of my own but the PM27 fix that roytam1 cherrypicked is cleaner, so I've added that patch and one two (a followup was needed) more for correctness. Although this issue is currently being exploited in the wild, it would require a PowerPC-specific attack to be successful on a Power Mac. You do not need to clobber to update your build.
Posted by at
Labels:

4 comments:

  1. RoySeptember 16, 2023 at 4:53 PM

    got a crash when visiting wikipedia, and found a missing patch: https://github.com/roytam1/mozilla45esr/commit/ad4ba6ecd5c2cc9b9e9ae755528dcf304b1ac837

    ReplyDelete
  2. ClassicHasClassSeptember 17, 2023 at 11:35 PM

    Thanks, checked and applied.

    ReplyDelete
  3. RoySeptember 19, 2023 at 11:15 PM

    and finally a nitpicking commit: https://github.com/roytam1/mozilla45esr/commit/53eda93e4ab6a1ddc33c8006e2b02ed86c79f4a1
    hope this is really the end for that CVE.

    ReplyDelete
  4. RoySeptember 28, 2023 at 7:38 PM

    and now there is a VP8 encoder bug with CVE score 10.0: https://github.com/roytam1/mozilla45esr/commit/69f77fc6e3f0f1245c40c9bc0fa06402f4724045

    ReplyDelete

Due to an increased frequency of spam, comments are now subject to moderation.

Subscribe to: Post Comments (Atom)