[Bug 2035712] Re: libwebp has critical cve-2023-4863
Seth Arnold
2035712 at bugs.launchpad.net
Fri Nov 17 20:57:08 UTC 2023
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libgd2 in Ubuntu.
https://bugs.launchpad.net/bugs/2035712
Title:
libwebp has critical cve-2023-4863
Status in libgd2 package in Ubuntu:
Invalid
Bug description:
There is a buffer overflow bug cve-2023-4863 in libwebp which is
getting actively attacked in the wild (e.g. Chromium assigned this
Critical severity).
According to my research gd uses libwebp and php-gd/libgd does not use
the dynamically linked version from the libwebp package.
So I assume, that if libgd is vulnerable, it would still vulnerable if
the libwebp package gets fixed.
So if libwebp is vulnerable it should be tracked separately from
libwebp; and show e.g. on
https://bugs.launchpad.net/ubuntu/+source/chromium-
browser/+bug/2035220
We use libgd, but security analysis showed our systems do won't handle
webp files to gd, so we should not be vulnerable, but a lot of
services would be.
I do not have the resources to code-dive/make a proof of concept. But
I think it is critical that someone can rule out that cve-2023-4863 in
php-gd / build against a patched version of libwebp; also e.g. for
xenial.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libgd2/+bug/2035712/+subscriptions
More information about the foundations-bugs
mailing list