ISN 2023-19: Libwebp Vulnerability in Chromium and Other Software

Updated 28 September 2023 (fix versions, add CVE-2023-5129)

First published 14 September 2023

CVSS 3.1: 10.0 (Critical)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

A critical vulnerability has been found in Libwebp, used in the Chromium web browser and other software. This affects the following IGEL products:

• IGEL OS 12
• IGEL OS 11

Details

A zero-day critical heap buffer overflow vulnerability has been found in the WebP library (Libwebp) used by Chromium, webkit2gtk, qt5 webkit, webengine and other software supporting the WebP image format. This vulnerability can be tracked with CVE-2023-4863 and CVE-2023-5129. Apple’s Security Engineering and Architecture (SEAR) and The Citizen Lab are not publishing the details of this vulnerability as it has been seen exploited in-the-wild and they are giving time for people to update their browsers.

Update Instructions

• OS 12: Update to IGEL OS 12 base system version 12.2.1 (available on 17 October 2023) with an updated Libwebp.
• OS 11: Update to IGEL OS 11.09.100 (planned for 5 October 2023) with an updated Libwebp.

References

• CVE-2023-4863 - https://nvd.nist.gov/vuln/detail/CVE-2023-4863
• CVE-2023-5129 - https://nvd.nist.gov/vuln/detail/CVE-2023-5129
• Google’s advisory - https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html