clone 1051787 -1
reassign -1 libwebp
thanks
This bug's actually in libwebp. Unfortunately we're still embedding it
in chromium, so we likely need to fix both chromium *and* libwebp in
debian. There hasn't been a libwebp release yet, but the two relevant
git commits are
<https://chromium.googlesource.com/webm/libwebp.git/+/902bc9190331343b2017211debcec8d2ab87e17a%5E%21/>
and what appears to be a followup fix to that,
<https://chromium.googlesource.com/webm/libwebp.git/+/95ea5226c870449522240ccff26f0b006037c520%5E%21/#F0>
On Tue, Sep 12 2023 at 09:12:40 AM -06:00:00, Jeffrey Cliff
<jeffrey.cl...@gmail.com> wrote:
Package: chromium
Version: 116.0.5845.180-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org
<mailto:t...@security.debian.org>>
Dear Maintainer,
116.0.5845.187 fixes a critical remote vulnerability in chrome
[$NA][1479274] Critical CVE-2023-4863: Heap buffer overflow in WebP.
Reported by Apple Security Engineering and Architecture (SEAR) and
The Citizen
Lab at The University of Torontoʼs Munk School on 2023-09-06
<https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html>
Might want to look into this at least
(attempt 3, my reportbug broke sorry)
Jeff Cliff
-- System Information:
Debian Release: trixie/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-debug'), (500,
'oldstable-debug')
Architecture: amd64 (x86_64)
Kernel: Linux 6.5.0-gnulibre (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages chromium depends on:
pn chromium-common <none>
ii libasound2 1.2.9-2
ii libatk-bridge2.0-0 2.49.91-2
ii libatk1.0-0 2.49.91-2
ii libatomic1 13.2.0-3
ii libatspi2.0-0 2.49.91-2
ii libbrotli1 1.0.9-2+b6
ii libc6 2.37-7
ii libcairo2 1.17.8-3
ii libcups2 2.4.2-5
ii libdbus-1-3 1.14.10-1devuan1
ii libdouble-conversion3 3.3.0-1
ii libdrm2 2.4.115-1
ii libevent-2.1-7 2.1.12-stable-8
ii libexpat1 2.5.0-2
ii libflac12 1.4.3+ds-2
ii libfontconfig1 2.14.2-5
ii libfreetype6 2.13.2+dfsg-1
ii libgbm1 23.1.7-1
ii libgcc-s1 13.2.0-3
ii libglib2.0-0 2.77.3-1
ii libgtk-3-0 3.24.38-4
ii libjpeg62-turbo 1:2.1.5-2
ii libjsoncpp25 1.9.5-6
ii liblcms2-2 2.14-2
ii libminizip1 1:1.2.13.dfsg-3
ii libnspr4 2:4.35-1.1
ii libnss3 2:3.92-1
pn libopenh264-7 <none>
ii libopenjp2-7 2.5.0-2
ii libopus0 1.4-1
ii libpango-1.0-0 1.51.0+ds-2
ii libpng16-16 1.6.40-1
ii libpulse0 16.1+dfsg1-2+b1
ii libsnappy1v5 1.1.10-1
ii libstdc++6 13.2.0-3
ii libwebp7 1.2.4-0.2
ii libwebpdemux2 1.2.4-0.2
ii libwebpmux3 1.2.4-0.2
ii libwoff1 1.0.2-2
ii libx11-6 2:1.8.6-1
ii libxcb1 1.15-1
ii libxcomposite1 1:0.4.5-1
ii libxdamage1 1:1.1.6-1
ii libxext6 2:1.3.4-1+b1
ii libxfixes3 1:6.0.0-2
ii libxkbcommon0 1.5.0-1
ii libxml2 2.9.14+dfsg-1.3
ii libxnvctrl0 525.125.06-1
ii libxrandr2 2:1.5.2-2+b1
ii libxslt1.1 1.1.35-1
ii zlib1g 1:1.2.13.dfsg-3
Versions of packages chromium recommends:
pn chromium-sandbox <none>
Versions of packages chromium suggests:
pn chromium-driver <none>
pn chromium-l10n <none>
pn chromium-shell <none>