Announced CVE-2023-5217 : September 28, 2023
Chrome :
https://thehackernews.com/2023/09/updat ... patch.html
Mozilla , Security Vulnerability fixed in Firefox 118.0.1 :
https://www.mozilla.org/en-US/security/ ... sa2023-44/
libvpx : affected from 1.13.1
https://www.cve.org/CVERecord?id=CVE-2023-5217
about this video format : VP8
Critical Vulnerability CVE-2023-5217 - WebM - VP8 - libvpx
-
- Shogun
- Posts: 238
- Joined: 12 Jun 2021, 21:59
- Distribution: Xfce 4.12 - 5.rc3 - x86_64
- Location: France
Critical Vulnerability CVE-2023-5217 - WebM - VP8 - libvpx
Last edited by Rava on 29 Sep 2023, 04:09, edited 1 time in total.
Reason: put CVE-2023-5217 into subject
Reason: put CVE-2023-5217 into subject
- Rava
- Contributor
- Posts: 5416
- Joined: 11 Jan 2011, 02:46
- Distribution: XFCE 5.01 x86_64 + 4.0 i586
- Location: Forests of Germany
Critical Vulnerability - WebM - VP8 - libvpx
Thanks for the heads up.
Is Porteus 5.0.1 already fixed against CVE-2023-5217 ?
Cave! More programs (or libraries) might be affected than the ones listed.
More links with hopefully helpful info for you folks
https://www.bleepingcomputer.com/news/s ... y-of-2023/
https://www.securityweek.com/google-rus ... re-vendor/
Is Porteus 5.0.1 already fixed against CVE-2023-5217 ?
Cave! More programs (or libraries) might be affected than the ones listed.
More links with hopefully helpful info for you folks
https://www.bleepingcomputer.com/news/s ... y-of-2023/
https://access.redhat.com/security/cve/cve-2023-5217Google has patched the fifth Chrome zero-day vulnerability exploited in attacks since the start of the year in emergency security updates released today.
"Google is aware that an exploit for CVE-2023-5217 exists in the wild," the company revealed in a security advisory published on Wednesday.
The security vulnerability is addressed in Google Chrome 117.0.5938.132, rolling out worldwide to Windows, Mac, and Linux users in the Stable Desktop channel.
While the advisory says it will likely take days or weeks until the patched version reaches the entire user base, the update was immediately available when BleepingComputer checked for updates.
listed known affected (vulnerable) programs are: firefox - libvpx - thunderbirdThe MITRE CVE dictionary describes this issue as:
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
https://www.securityweek.com/google-rus ... re-vendor/
Google has rushed to patch another Chrome zero-day vulnerability exploited by a commercial spyware vendor.
The internet giant announced on Tuesday that the stable channel of Chrome for Windows, macOS and Linux has been updated to version 117.0.5938.132.
The latest update patches 10 vulnerabilities, three of which have been highlighted by the company in its advisory.
The most important vulnerability, tracked as CVE-2023-5217, has been described as a “heap buffer overflow in vp8 encoding in libvpx”. The issue was reported to the Chrome team by Clement Lecigne of Google’s Threat Analysis Group (TAG) just two days before the patch was released.
Google warned that CVE-2023-5217 has been exploited in the wild.
While the advisory does not provide any information on the attacks exploiting the zero-day, Google TAG researcher Maddie Stone revealed that it has been leveraged by a commercial surveillance vendor.
The news comes shortly after Google TAG and the University of Toronto’s Citizen Lab group released details on an operation whose goal was to deliver a piece of spyware known as Predator to an opposition politician in Egypt.
An analysis showed that the threat actor has used various zero-days and man-in-the-middle (MitM) attacks to deliver spyware to both Android and iOS devices.
Cheers!
Yours Rava
Yours Rava
- Rava
- Contributor
- Posts: 5416
- Joined: 11 Jan 2011, 02:46
- Distribution: XFCE 5.01 x86_64 + 4.0 i586
- Location: Forests of Germany
Critical Vulnerability CVE-2023-5217 - WebM - VP8 - libvpx
According to a PM by ncmprhnsbl and I paraphrase here (since I did not ask him for permission to quote his PM; the text with the starting fat bullet and set in italics is his paraphrased reply):
My question to him was:
Meaning check what version of your browser(s) is hardened against CVE-2023-5217 and use update-browser to create the newest known hardened version.
● About libvpx itself, it doesn't look like any update has come from Slackware as yet, ncmprhnsbl sees arch has just rebuilt theirs with a patch.
ncmprhnsbl expects Patrick Volkerding to do something similar soon.
In case Patrick Volkerding doesn't ring a bell: Patrick Volkerding (on en.wikipedia)
My question to him was:
● the browsers on the server aren't hardened against the CVE-2023-5217, but the update scripts will deliver the latest that are.Rava wrote:Is Porteus-v5.01 already hardened against the CVE-2023-5217?
Meaning check what version of your browser(s) is hardened against CVE-2023-5217 and use update-browser to create the newest known hardened version.
● About libvpx itself, it doesn't look like any update has come from Slackware as yet, ncmprhnsbl sees arch has just rebuilt theirs with a patch.
ncmprhnsbl expects Patrick Volkerding to do something similar soon.
In case Patrick Volkerding doesn't ring a bell: Patrick Volkerding (on en.wikipedia)
That is the state of things as of the writing of this post. Could be in one day there are news and updates for Slackware. Or one tries using the arch patch.Patrick Volkerding (born October 20, 1966) is the founder and maintainer of the Slackware Linux distribution. Volkerding is Slackware's "Benevolent Dictator for Life" (BDFL), and is also known informally as "The Man".
Last edited by Rava on 29 Sep 2023, 05:52, edited 1 time in total.
Reason: added Patrick Volkerding (on en.wikipedia) info
Reason: added Patrick Volkerding (on en.wikipedia) info
Cheers!
Yours Rava
Yours Rava