Уязвимость CVE-2023-5217: Информация

Описание

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Важность: HIGH (8,8) Вектор: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-5217

Опубликовано: 28 сентября 2023 г.

Изменено: 15 февраля 2024 г.

Идентификатор типа ошибки: CWE-787

Исправленные пакеты

Имя пакета	Ветка	Исправлено в версии	Версия в репозитории	Errata ID	№ Задания	Состояние
chromium	sisyphus	117.0.5938.132-alt1	124.0.6367.78-alt1	ALT-PU-2023-5936-1	330513	Исправлено
chromium	p10	117.0.5938.132-alt0.p10.1	119.0.6045.159-alt0.p10.1	ALT-PU-2023-5979-2	330563	Исправлено
chromium-gost	sisyphus	120.0.6099.109-alt2	121.0.6167.160-alt1	ALT-PU-2023-8370-1	337351	Исправлено
firefox	sisyphus	118.0.2-alt1	125.0.2-alt1	ALT-PU-2023-6277-1	331512	Исправлено
firefox	sisyphus_riscv64	118.0.2-alt0.port	124.0.1-alt0.port	ALT-PU-2023-6456-1	-	Исправлено
firefox	p10	118.0.2-alt0.p10.1	118.0.2-alt0.p10.1	ALT-PU-2024-4241-4	342418	Исправлено
firefox-esr	sisyphus	115.3.1-alt1	115.10.0-alt1	ALT-PU-2023-5991-2	330520	Исправлено
firefox-esr	p10	115.3.1-alt4	115.10.0-alt1	ALT-PU-2023-6436-2	330014	Исправлено
firefox-esr	c10f1	115.8.0-alt0.c10.1	115.9.1-alt0.c10.1	ALT-PU-2024-3614-2	340631	Исправлено
thunderbird	sisyphus	115.3.1-alt1	115.9.0-alt1	ALT-PU-2023-6200-2	331244	Исправлено
thunderbird	p10	115.8.1-alt1	115.9.0-alt1	ALT-PU-2024-3860-2	342581	Исправлено
thunderbird	c10f1	115.8.1-alt0.c10.1	115.9.0-alt0.c10.1	ALT-PU-2024-4748-2	343092	Исправлено
yandex-browser-stable	sisyphus	23.9.1.1033-alt1	24.1.3.845-alt1	ALT-PU-2023-6281-2	331359	Исправлено
yandex-browser-stable	p10	23.9.1.1033-alt1	24.1.3.845-alt1	ALT-PU-2023-6350-2	331673	Исправлено
yandex-browser-stable	c10f1	23.9.1.1033-alt1	24.1.3.845-alt1	ALT-PU-2023-6567-2	331675	Исправлено
yandex-browser-stable	c9f2	23.9.1.1033-alt1	24.1.3.845-alt1	ALT-PU-2023-6351-2	331674	Исправлено

Ссылки на рекомендации, решения и инструменты

Ссылка	Ресурс
https://crbug.com/1486441	Issue Tracking Permissions Required
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html	Release Notes Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/09/28/5	Mailing List Patch Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/28/6	Mailing List Patch Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/29/1	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/29/2	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/29/7	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/29/9	Mailing List Third Party Advisory
https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/	Third Party Advisory
https://pastebin.com/TdkC4pDv	Not Applicable
https://github.com/webmproject/libvpx/tags	Product
https://security-tracker.debian.org/tracker/CVE-2023-5217	Patch Third Party Advisory
https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282	Patch
http://www.openwall.com/lists/oss-security/2023/09/29/11	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/29/12	Mailing List Third Party Advisory
https://www.openwall.com/lists/oss-security/2023/09/28/5	Mailing List Third Party Advisory
https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590	Patch
https://bugzilla.redhat.com/show_bug.cgi?id=2241191	Issue Tracking Third Party Advisory
https://stackdiary.com/google-discloses-a-webm-vp8-bug-tracked-as-cve-2023-5217/	Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/29/14	Mailing List Third Party Advisory
https://www.debian.org/security/2023/dsa-5510	Third Party Advisory
https://www.debian.org/security/2023/dsa-5508	Third Party Advisory
https://www.debian.org/security/2023/dsa-5509	Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/30/1	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00038.html	Mailing List
https://twitter.com/maddiestone/status/1707163313711497266	Third Party Advisory
https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/	Third Party Advisory
https://github.com/webmproject/libvpx/releases/tag/v1.13.1	Release Notes
http://www.openwall.com/lists/oss-security/2023/09/30/2	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/30/3	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/30/4	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/30/5	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCVSHVX2RFBU3RMCUFSATVQEJUFD4Q63/	Mailing List
http://www.openwall.com/lists/oss-security/2023/10/01/2	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/01/1	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/01/5	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00001.html	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/55YVCZNAVY3Y5E4DWPWMX2SPKZ2E5SOV/	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MFWDFJSSIFKWKNOCTQCFUNZWAXUCSS4/	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWEJYS5NC7KVFYU3OAMPKQDYN6JQGVK6/	Mailing List
http://www.openwall.com/lists/oss-security/2023/10/02/6	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/03/11	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202310-04	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AY642Z6JZODQJE7Z62CFREVUHEGCXGPD/	Mailing List
http://seclists.org/fulldisclosure/2023/Oct/12	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00015.html	Mailing List
http://seclists.org/fulldisclosure/2023/Oct/16	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE7F54W5O5RS4ZMAAC7YK3CZWQXIDSKB/	Mailing List
https://support.apple.com/kb/HT213961	Third Party Advisory
https://support.apple.com/kb/HT213972	Third Party Advisory
https://security.gentoo.org/glsa/202401-34	Third Party Advisory

Подверженные конфигурации:
1. Конфигурация 1
  cpe:2.3:a:webmproject:libvpx:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*
  Running on/with:
  cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:android:*:*
  
  Конфигурация 2
  cpe:2.3:a:microsoft:edge:116.0.1938.98:*:*:*:*:*:*:*
  cpe:2.3:a:microsoft:edge:117.0.2045.47:*:*:*:*:*:*:*
  cpe:2.3:a:microsoft:edge_chromium:116.0.5845.229:*:*:*:*:*:*:*
  cpe:2.3:a:microsoft:edge_chromium:117.0.5938.132:*:*:*:*:*:*:*
  
  Конфигурация 3
  cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:android:*:*
  End excliding
  118.1
  cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
  End excliding
  115.3.1
  cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*
  End excliding
  118.1
  cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
  End excliding
  118.0.1
  cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
  End excliding
  115.3.1
  
  Конфигурация 4
  cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
  
  Конфигурация 5
  cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
  
  Конфигурация 6
  cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
  Start including
  17.0
  End excliding
  17.0.3
  cpe:2.3:o:apple:ipad_os:*:*:*:*:*:*:*:*
  Start including
  17.0
  End excliding
  17.0.3
  cpe:2.3:o:apple:ipad_os:16.7:*:*:*:*:*:*:*
  cpe:2.3:o:apple:iphone_os:16.7:*:*:*:*:*:*:*

Версия: v24.4.2

Наверх

Уязвимость CVE-2023-5217: Информация

Описание

Исправленные пакеты

Ссылки на рекомендации, решения и инструменты

Конфигурация 1

Конфигурация 2

Конфигурация 3

Конфигурация 4

Конфигурация 5

Конфигурация 6