CVE-2023-1999

Name	CVE-2023-1999
Description	There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3391-1, DLA-3400-1, DLA-3439-1, DSA-5385-1, DSA-5392-1, DSA-5408-1, ELA-878-1
Debian Bugs	1035371

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
firefox (PTS)	sid	132.0.2-1	fixed
firefox-esr (PTS)	jessie, jessie (lts)	68.9.0esr-1~deb8u2	vulnerable
	stretch (security), stretch (lts), stretch	91.11.0esr-1~deb9u1	vulnerable
	buster (security), buster, buster (lts)	115.12.0esr-1~deb10u1	fixed
	bullseye	115.14.0esr-1~deb11u1	fixed
	bullseye (security)	128.4.0esr-1~deb11u1	fixed
	bookworm	128.3.1esr-1~deb12u1	fixed
	bookworm (security)	128.4.0esr-1~deb12u1	fixed
	sid, trixie	128.4.0esr-1	fixed
libwebp (PTS)	jessie, jessie (lts)	0.4.1-1.2+deb8u1	fixed
	stretch (security)	0.5.2-1+deb9u1	vulnerable
	stretch (lts), stretch	0.5.2-1+deb9u3	fixed
	buster (security), buster, buster (lts)	0.6.1-2+deb10u3	fixed
	bullseye (security), bullseye	0.6.1-2.1+deb11u2	fixed
	bookworm (security), bookworm	1.2.4-0.2+deb12u1	fixed
	sid, trixie	1.4.0-0.1	fixed
thunderbird (PTS)	jessie, jessie (lts)	1:68.9.0-1~deb8u2	vulnerable
	stretch (security), stretch (lts), stretch	1:91.10.0-1~deb9u1	vulnerable
	buster (security), buster, buster (lts)	1:115.12.0-1~deb10u1	fixed
	bullseye	1:115.12.0-1~deb11u1	fixed
	bullseye (security)	1:128.4.3esr-1~deb11u1	fixed
	bookworm	1:115.16.0esr-1~deb12u1	fixed
	bookworm (security)	1:128.4.3esr-1~deb12u1	fixed
	sid, trixie	1:128.4.3esr-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
firefox	source	(unstable)	112.0-1
firefox-esr	source	jessie	(unfixed)	end-of-life
firefox-esr	source	stretch	(unfixed)	end-of-life
firefox-esr	source	buster	102.10.0esr-1~deb10u1		DLA-3391-1
firefox-esr	source	bullseye	102.10.0esr-1~deb11u1		DSA-5385-1
firefox-esr	source	(unstable)	102.10.0esr-1
libwebp	source	jessie	(not affected)
libwebp	source	stretch	0.5.2-1+deb9u2		ELA-878-1
libwebp	source	buster	0.6.1-2+deb10u2		DLA-3439-1
libwebp	source	bullseye	0.6.1-2.1+deb11u1		DSA-5408-1
libwebp	source	(unstable)	1.2.4-0.2			1035371
thunderbird	source	jessie	(unfixed)	end-of-life
thunderbird	source	stretch	(unfixed)	end-of-life
thunderbird	source	buster	1:102.10.0-1~deb10u1		DLA-3400-1
thunderbird	source	bullseye	1:102.10.0-1~deb11u1		DSA-5392-1
thunderbird	source	(unstable)	1:102.10.0-1

Notes

https://www.mozilla.org/en-US/security/advisories/mfsa2023-13/#CVE-2023-1999
https://www.mozilla.org/en-US/security/advisories/mfsa2023-14/#CVE-2023-1999
https://www.mozilla.org/en-US/security/advisories/mfsa2023-15/#CVE-2023-1999
https://bugzilla.mozilla.org/show_bug.cgi?id=1819244 (not public)
https://hg.mozilla.org/releases/mozilla-esr102/rev/53b805c752ff23080e100eda2b3b4280d4370b2e
https://chromium.googlesource.com/webm/libwebp/+/4654e1e7381044717d5d3e0dd7e735633a3ff300 (1.3.0)
Fixed by: https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129 (v1.3.1-rc1)
Introduced by: https://github.com/webmproject/libwebp/commit/187d379db68839f76d1390be291c471f2f66644c (v0.5.0-rc1)
Introduced by: https://github.com/webmproject/libwebp/commit/5692eae1f3efd8b7b47398a9f5d74f1dc6f64e7f (backport; v0.4.2-rc2)
[jessie] - libwebp <not-affected> (Vulnerable code was introduced later)