CVE-2023-4863

NameCVE-2023-4863
DescriptionHeap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3568-1, DLA-3569-1, DLA-3570-1, DSA-5496-1, DSA-5497-1, DSA-5497-2, DSA-5498-1, ELA-971-1
Debian Bugs1051787

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
chromium (PTS)stretch (security), stretch (lts), stretch73.0.3683.75-1~deb9u1vulnerable
buster (security), buster, buster (lts)90.0.4430.212-1~deb10u1vulnerable
bullseye (security), bullseye120.0.6099.224-1~deb11u1fixed
bookworm130.0.6723.91-1~deb12u1fixed
bookworm (security)130.0.6723.116-1~deb12u1fixed
trixie130.0.6723.116-1fixed
sid131.0.6778.85-1fixed
firefox (PTS)sid132.0.2-1fixed
firefox-esr (PTS)jessie, jessie (lts)68.9.0esr-1~deb8u2vulnerable
stretch (security), stretch (lts), stretch91.11.0esr-1~deb9u1vulnerable
buster (security), buster, buster (lts)115.12.0esr-1~deb10u1fixed
bullseye115.14.0esr-1~deb11u1fixed
bullseye (security)128.4.0esr-1~deb11u1fixed
bookworm128.3.1esr-1~deb12u1fixed
bookworm (security)128.4.0esr-1~deb12u1fixed
sid, trixie128.4.0esr-1fixed
libwebp (PTS)jessie, jessie (lts)0.4.1-1.2+deb8u1fixed
stretch (security)0.5.2-1+deb9u1vulnerable
stretch (lts), stretch0.5.2-1+deb9u3fixed
buster (security), buster, buster (lts)0.6.1-2+deb10u3fixed
bullseye (security), bullseye0.6.1-2.1+deb11u2fixed
bookworm (security), bookworm1.2.4-0.2+deb12u1fixed
sid, trixie1.4.0-0.1fixed
thunderbird (PTS)jessie, jessie (lts)1:68.9.0-1~deb8u2vulnerable
stretch (security), stretch (lts), stretch1:91.10.0-1~deb9u1vulnerable
buster (security), buster, buster (lts)1:115.12.0-1~deb10u1fixed
bullseye1:115.12.0-1~deb11u1fixed
bullseye (security)1:128.4.3esr-1~deb11u1fixed
bookworm1:115.16.0esr-1~deb12u1fixed
bookworm (security)1:128.4.3esr-1~deb12u1fixed
sid, trixie1:128.4.3esr-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
chromiumsourcebuster(unfixed)end-of-life
chromiumsource(unstable)117.0.5938.62-1unimportant
firefoxsource(unstable)117.0.1-1
firefox-esrsourcejessie(unfixed)end-of-life
firefox-esrsourcestretch(unfixed)end-of-life
firefox-esrsourcebuster102.15.1esr-1~deb10u1DLA-3568-1
firefox-esrsourcebullseye102.15.1esr-1~deb11u1DSA-5496-1
firefox-esrsourcebookworm102.15.1esr-1~deb12u1DSA-5496-1
firefox-esrsource(unstable)115.2.1esr-1
libwebpsourcejessie(not affected)
libwebpsourcestretch0.5.2-1+deb9u3ELA-971-1
libwebpsourcebuster0.6.1-2+deb10u3DLA-3570-1
libwebpsourcebullseye0.6.1-2.1+deb11u2DSA-5497-2
libwebpsourcebookworm1.2.4-0.2+deb12u1DSA-5497-1
libwebpsource(unstable)1.2.4-0.31051787
thunderbirdsourcejessie(unfixed)end-of-life
thunderbirdsourcestretch(unfixed)end-of-life
thunderbirdsourcebuster1:102.15.1-1~deb10u1DLA-3569-1
thunderbirdsourcebullseye1:102.15.1-1~deb11u1DSA-5498-1
thunderbirdsourcebookworm1:102.15.1-1~deb12u1DSA-5498-1
thunderbirdsource(unstable)1:115.2.2-1

Notes

[buster] - chromium <end-of-life> (see DSA 5046)
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
src:chromium builds against the system libwebp library
Fixed by: https://chromium.googlesource.com/webm/libwebp.git/+/902bc9190331343b2017211debcec8d2ab87e17a%5E%21/
Followup: https://chromium.googlesource.com/webm/libwebp.git/+/95ea5226c870449522240ccff26f0b006037c520%5E%21/#F0
https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/#CVE-2023-4863
[jessie] - libwebp <not-affected> (Vulnerable code not present; introduced later)
Search for package or bug name: Reporting problems