[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx
From:       Alan Coopersmith <alan.coopersmith () oracle ! com>
Date:       2023-09-30 20:38:27
Message-ID: 6284ffe9-d228-46f0-be8c-c7f78a030523 () oracle ! com
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]

[Attachment #4 (multipart/mixed)]

[Attachment #6 (text/plain)]

On 9/28/23 11:37, Alan Coopersmith wrote:
> It does not appear that libvpx 1.13.1 has been released yet,

It was released yesterday, with the note:

    "This release contains two security related fixes. One each for VP8 and VP9."

    https://github.com/webmproject/libvpx/releases/tag/v1.13.1

CVE-2023-44488 has been assigned to the VP9 bug:

    "VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related
     to encoding."

    https://www.cve.org/CVERecord?id=CVE-2023-44488

It points to this commit for the fix:

    https://github.com/webmproject/libvpx/commit/263682c9a29395055f3b3afe2d97be1828a6223f

-- 
         -Alan Coopersmith-                 alan.coopersmith@oracle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris


["OpenPGP_0xA2FB9E081F2D130E.asc" (application/pgp-keys)]
["OpenPGP_signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]