Critical Vulnerability CVE-2023-5217 - WebM - VP8 - libvpx

[Rapha_]

Announced CVE-2023-5217 : September 28, 2023

Chrome :
https://thehackernews.com/2023/09/updat ... patch.html

Mozilla , Security Vulnerability fixed in Firefox 118.0.1 :
https://www.mozilla.org/en-US/security/ ... sa2023-44/

libvpx : affected from 1.13.1
https://www.cve.org/CVERecord?id=CVE-2023-5217



about this video format : VP8

[Rava]

Thanks for the heads up.

Is Porteus 5.0.1 already fixed against CVE-2023-5217 ?

Cave! More programs (or libraries) might be affected than the ones listed.

More links with hopefully helpful info for you folks

https://www.bleepingcomputer.com/news/s ... y-of-2023/

Google has patched the fifth Chrome zero-day vulnerability exploited in attacks since the start of the year in emergency security updates released today.

"Google is aware that an exploit for CVE-2023-5217 exists in the wild," the company revealed in a security advisory published on Wednesday.

The security vulnerability is addressed in Google Chrome 117.0.5938.132, rolling out worldwide to Windows, Mac, and Linux users in the Stable Desktop channel.

While the advisory says it will likely take days or weeks until the patched version reaches the entire user base, the update was immediately available when BleepingComputer checked for updates.

https://access.redhat.com/security/cve/cve-2023-5217

The MITRE CVE dictionary describes this issue as:

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

listed known affected (vulnerable) programs are: firefox - libvpx - thunderbird

https://www.securityweek.com/google-rus ... re-vendor/

Google has rushed to patch another Chrome zero-day vulnerability exploited by a commercial spyware vendor.

The internet giant announced on Tuesday that the stable channel of Chrome for Windows, macOS and Linux has been updated to version 117.0.5938.132.

The latest update patches 10 vulnerabilities, three of which have been highlighted by the company in its advisory.

The most important vulnerability, tracked as CVE-2023-5217, has been described as a “heap buffer overflow in vp8 encoding in libvpx”. The issue was reported to the Chrome team by Clement Lecigne of Google’s Threat Analysis Group (TAG) just two days before the patch was released.

Google warned that CVE-2023-5217 has been exploited in the wild.

While the advisory does not provide any information on the attacks exploiting the zero-day, Google TAG researcher Maddie Stone revealed that it has been leveraged by a commercial surveillance vendor.

The news comes shortly after Google TAG and the University of Toronto’s Citizen Lab group released details on an operation whose goal was to deliver a piece of spyware known as Predator to an opposition politician in Egypt.

An analysis showed that the threat actor has used various zero-days and man-in-the-middle (MitM) attacks to deliver spyware to both Android and iOS devices.

[Rava]

According to a PM by ncmprhnsbl and I paraphrase here (since I did not ask him for permission to quote his PM; the text with the starting fat bullet and set in italics is his paraphrased reply):

My question to him was:

Is Porteus-v5.01 already hardened against the CVE-2023-5217?

● the browsers on the server aren't hardened against the CVE-2023-5217, but the update scripts will deliver the latest that are.

Meaning check what version of your browser(s) is hardened against CVE-2023-5217 and use update-browser to create the newest known hardened version.

● About libvpx itself, it doesn't look like any update has come from Slackware as yet, ncmprhnsbl sees arch has just rebuilt theirs with a patch.
ncmprhnsbl expects Patrick Volkerding to do something similar soon.

In case Patrick Volkerding doesn't ring a bell: Patrick Volkerding (on en.wikipedia)

Patrick Volkerding (born October 20, 1966) is the founder and maintainer of the Slackware Linux distribution. Volkerding is Slackware's "Benevolent Dictator for Life" (BDFL), and is also known informally as "The Man".

That is the state of things as of the writing of this post. Could be in one day there are news and updates for Slackware. Or one tries using the arch patch.