Bug#1051786: CVE-2023-4863: Heap buffer overflow in WebP

[Gianfranco Costamagna]

control: tags -1 pending

Hello, since the package libwebp looks a little bit maintained via NMU and 
package is on salsa.d.o/debian namespace, I'll just do it and git push/git push 
--tags.

G.

On Tue, 12 Sep 2023 09:08:55 -0600 Jeffrey Cliff <jeffrey.cl...@gmail.com> 
wrote:

Subject: CVE-2023-4863: Heap buffer overflow in WebP
Package: chromium
Version: 116.0.5845.180-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>



On Tue, Sep 12, 2023 at 9:07 AM Jeffrey Cliff <jeffrey.cl...@gmail.com> wrote:
>
> Dear Maintainer,
>
> 116.0.5845.187 fixes a critical remote vulnerability in chrome
>
> [$NA][1479274] Critical CVE-2023-4863: Heap buffer overflow in WebP.
> Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen
> Lab at The University of Torontoʼs Munk School on 2023-09-06
>
> 
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
>
> Might want to look into this at least
>
> Jeff Cliff
>
>
> -- System Information:
> Debian Release: trixie/sid
>   APT prefers unstable-debug
>   APT policy: (500, 'unstable-debug'), (500, 'stable-debug'), (500,
> 'oldstable-debug')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 6.5.0-gnulibre (SMP w/2 CPU threads; PREEMPT)
> Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
> LANGUAGE=en_CA:en
> Shell: /bin/sh linked to /usr/bin/dash
> Init: sysvinit (via /sbin/init)
> LSM: AppArmor: enabled
>
>
> Versions of packages chromium depends on:
> pn  chromium-common        <none>
> ii  libasound2             1.2.9-2
> ii  libatk-bridge2.0-0     2.49.91-2
> ii  libatk1.0-0            2.49.91-2
> ii  libatomic1             13.2.0-3
> ii  libatspi2.0-0          2.49.91-2
> ii  libbrotli1             1.0.9-2+b6
> ii  libc6                  2.37-7
> ii  libcairo2              1.17.8-3
> ii  libcups2               2.4.2-5
> ii  libdbus-1-3            1.14.10-1devuan1
> ii  libdouble-conversion3  3.3.0-1
> ii  libdrm2                2.4.115-1
> ii  libevent-2.1-7         2.1.12-stable-8
> ii  libexpat1              2.5.0-2
> ii  libflac12              1.4.3+ds-2
> ii  libfontconfig1         2.14.2-5

OpenPGP_signature
Description: OpenPGP digital signature