[Bugs] [Bug 13555] New: [CVE 21] libwebp 1.2.3 CVEs found

bugzilla bugzilla ÎÁ rosalinux.ru
óÒ á×Ç 23 23:21:41 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13555

          Platform: 2021.1
            Bug ID: 13555
           Summary: [CVE 21] libwebp 1.2.3  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2023-1999,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs ÎÁ lists.rosalinux.ru
          Reporter: y.tumanov ÎÁ rosalinux.ru
        QA Contact: bugs ÎÁ lists.rosalinux.ru
                CC: e.kosachev ÎÁ rosalinux.ru, s.matveev ÎÁ rosalinux.ru,
                    y.tumanov ÎÁ rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package libwebp version 1.2.3

INFO (CVEs are): libwebp 1.2.3
 cves found
CVE-2023-1999
Desc: There exists a use after free/double free in libwebp. An attacker can use
thešApplyFiltersAndEncode() function and loop through to free best.bw and
assign best = trial pointer. The second loop will then return 0 because of an
Out of memory error in VP8 encoder, the pointer is still assigned to trial and
the AddressSanitizer will attempt a double free.š

Link: https://nvd.nist.gov/vuln/detail/CVE-2023-1999
Severity: HIGH

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- ÓÌÅÄÕÝÁÑ ÞÁÓÔØ -----------
÷ÌÏÖÅÎÉÅ × ÆÏÒÍÁÔÅ HTML ÂÙÌÏ ÉÚ×ÌÅÞÅÎÏ…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/b681bdc4/attachment.html>

ðÏÄÒÏÂÎÁÑ ÉÎÆÏÒÍÁÃÉÑ Ï ÓÐÉÓËÅ ÒÁÓÓÙÌËÉ Bugs