Описание
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
A heap-based buffer overflow flaw was found in the way libvpx, a library used to process VP8 and VP9 video codecs data, processes certain specially formatted video data via a crafted HTML page. This flaw allows an attacker to crash or remotely execute arbitrary code in an application, such as a web browser that is compiled with this library.
Отчет
This security issue has been classified as having an Important security impact. Desktop users are at a high risk of exploitation of this flaw with very minimal interaction. It may compromise the confidentiality, integrity, or availability of resources. Customers using this application, which does server-side video codecs by linking to the libvpx library, are also potentially impacted by this flaw and are advised to update to the fixed versions of the package.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | libvpx | Out of support scope | ||
| Red Hat Enterprise Linux 7 | libvpx | Not affected | ||
| Red Hat Enterprise Linux 9 | firefox:flatpak/firefox | Affected | ||
| Red Hat Enterprise Linux 9 | thunderbird:flatpak/thunderbird | Affected | ||
| Red Hat Enterprise Linux 7 | thunderbird | Fixed | RHSA-2023:5475 | 05.10.2023 |
| Red Hat Enterprise Linux 7 | firefox | Fixed | RHSA-2023:5477 | 05.10.2023 |
| Red Hat Enterprise Linux 8 | thunderbird | Fixed | RHSA-2023:5428 | 04.10.2023 |
| Red Hat Enterprise Linux 8 | firefox | Fixed | RHSA-2023:5433 | 04.10.2023 |
| Red Hat Enterprise Linux 8 | libvpx | Fixed | RHSA-2023:5537 | 09.10.2023 |
| Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | thunderbird | Fixed | RHSA-2023:5438 | 04.10.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.8 High
CVSS3
Связанные уязвимости
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Chromium: CVE-2023-5217 Heap buffer overflow in vp8 encoding in libvpx
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior ...
EPSS
8.8 High
CVSS3