Here’s how the two are reminiscent of each other:ġ. The described vulnerability in the libwebp image library draws parallels to the widely-publicized Log4j/Log4Shell incident from late 2021. Comparison with the Log4j/Log4Shell Incident: Given its widespread adoption, this vulnerability presents significant concerns for users and organizations alike.Īs a part of their response, Google has expanded its fix for CVE-2023–4863 to include both the Stable channel for ChromeOS and ChromeOS Flex with the latest version release. They emphasized the efficiency of libwebp in comparison to JPEG and PNG in terms of size and speed. Rezillion’s recent analysis disclosed a multitude of widely used applications, libraries, frameworks, and operating systems that could be affected by CVE-2023–4863. Any application relying on the libwebp library to handle WebP images is potentially vulnerable. Interestingly, while CVE-2023–4863 was previously reported as an issue affecting Google Chrome alone, further investigation reveals its impact to be much more widespread (this is now more of a moot point as 4863 has come back to replace 5129). Citizen Lab reports that CVE-2023–41064 was used as part of a zero-click iMessage exploit chain called BLASTPASS to deploy the notorious Pegasus spyware. Both vulnerabilities are believed to be related to the same core problem in the libwebp library. These bugs could lead to arbitrary code execution when dealing with a maliciously crafted image. This recent development follows after a similar bug was addressed by Apple, Google, and Mozilla, labeled under CVE codes CVE-2023–41064 and CVE-2023–4863. The ReadHuffmanCodes() function and the ReplicateValue area are particularly impacted by this flaw. The flaw arises from an issue in the Huffman coding algorithm which, with a specially crafted WebP lossless file, can lead to out-of-bounds data writing to the heap. This vulnerability, identified as CVE-2023–5129, has received the maximum severity score of 10.0 on the CVSS rating scale. Google has acknowledged a new and severe security flaw in the libwebp image library, which handles the rendering of WebP format images. UPDATE: CVE-2023–5129 has now been rejected and instead is being ref er red to as its predecessor only, CVE-2023–4863
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |