Page 1 of 1
Critical Vulnerability CVE-2023-5217 - WebM - VP8 - libvpx
Posted: 28 Sep 2023, 23:03
by Rapha_
Announced CVE-2023-5217 : September 28, 2023
Chrome :
https://thehackernews.com/2023/09/updat ... patch.html
Mozilla , Security Vulnerability fixed in Firefox 118.0.1 :
https://www.mozilla.org/en-US/security/ ... sa2023-44/
libvpx : affected from 1.13.1
https://www.cve.org/CVERecord?id=CVE-2023-5217
about this video format :
VP8
Critical Vulnerability - WebM - VP8 - libvpx
Posted: 29 Sep 2023, 04:01
by Rava
Thanks for the heads up.
Is Porteus 5.0.1 already fixed against CVE-2023-5217 ?
Cave! More programs (or libraries) might be affected than the ones listed.
More links with hopefully helpful info for you folks
https://www.bleepingcomputer.com/news/s ... y-of-2023/
Google has patched the fifth Chrome zero-day vulnerability exploited in attacks since the start of the year in emergency security updates released today.
"Google is aware that an exploit for CVE-2023-5217 exists in the wild," the company revealed in a security advisory published on Wednesday.
The security vulnerability is addressed in Google Chrome 117.0.5938.132, rolling out worldwide to Windows, Mac, and Linux users in the Stable Desktop channel.
While the advisory says it will likely take days or weeks until the patched version reaches the entire user base, the update was immediately available when BleepingComputer checked for updates.
https://access.redhat.com/security/cve/cve-2023-5217
The MITRE CVE dictionary describes this issue as:
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
listed known affected (vulnerable) programs are: firefox - libvpx - thunderbird
https://www.securityweek.com/google-rus ... re-vendor/
Google has rushed to patch another Chrome zero-day vulnerability exploited by a commercial spyware vendor.
The internet giant announced on Tuesday that the stable channel of Chrome for Windows, macOS and Linux has been updated to version 117.0.5938.132.
The latest update patches 10 vulnerabilities, three of which have been highlighted by the company in its
advisory.
The most important vulnerability, tracked as CVE-2023-5217, has been described as a “heap buffer overflow in vp8 encoding in libvpx”. The issue was reported to the Chrome team by Clement Lecigne of Google’s Threat Analysis Group (TAG) just two days before the patch was released.
Google warned that CVE-2023-5217 has been exploited in the wild.
While the advisory does not provide any information on the attacks exploiting the zero-day, Google TAG researcher Maddie Stone
revealed that it has been leveraged by a commercial surveillance vendor.
The news comes shortly after Google TAG and the University of Toronto’s Citizen Lab group released details on an operation whose goal was to deliver a piece of spyware known as Predator to an opposition politician in Egypt.
An analysis showed that the threat actor has used various zero-days and man-in-the-middle (MitM) attacks to
deliver spyware to both Android and iOS devices.
Critical Vulnerability CVE-2023-5217 - WebM - VP8 - libvpx
Posted: 29 Sep 2023, 05:46
by Rava
According to a PM by ncmprhnsbl and
I paraphrase here (since I did not ask him for permission to quote his PM; the text with the starting fat bullet and set in italics is his paraphrased reply):
My question to him was:
Rava wrote:Is Porteus-v5.01 already hardened against the CVE-2023-5217?
● the browsers on the server aren't hardened against the CVE-2023-5217, but the update scripts will deliver the latest that are.
Meaning check what version of your browser(s) is hardened against CVE-2023-5217 and use
update-browser to create the newest known hardened version.
● About libvpx itself, it doesn't look like any update has come from Slackware as yet, ncmprhnsbl sees arch has just rebuilt theirs with a patch.
ncmprhnsbl expects Patrick Volkerding to do something similar soon.
In case Patrick Volkerding doesn't ring a bell:
Patrick Volkerding (on en.wikipedia)
Patrick Volkerding (born October 20, 1966) is the founder and maintainer of the Slackware Linux distribution. Volkerding is Slackware's "Benevolent Dictator for Life" (BDFL), and is also known informally as "The Man".
That is the state of things as of the writing of this post. Could be in one day there are news and updates for Slackware. Or one tries using the arch patch.