-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2677-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky June 05, 2021 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : libwebp Version : 0.5.2-1+deb9u1 CVE ID : CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 Multiple security issues have been discovered in libwebp CVE-2018-25009 An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVE-2018-25010 An out-of-bounds read was found in function ApplyFilter. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVE-2018-25011 A heap-based buffer overflow was found in PutLE16(). The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2018-25012 An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVE-2018-25013 An out-of-bounds read was found in function ShiftBytes. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVE-2018-25014 An unitialized variable is used in function ReadSymbol. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-36328 A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-36329 A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-36330 An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVE-2020-36331 An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability. For Debian 9 stretch, these problems have been fixed in version 0.5.2-1+deb9u1. We recommend that you upgrade your libwebp packages. For the detailed security status of libwebp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libwebp Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmC7t8MACgkQ0+Fzg8+n /wY3MQ/9HJZ/ZRdebr6kVrI2Kft17rJcL5Yrad4CkY2hGDShH9I1a9hrxxnY5o6K t9xHMJB3BzQPECL+4zSOHlJYoZ+J7eHtU1MO6FytWw8NW761f7IEV3C7f72uq1hQ hRHMPIpZUw5SEWjIFCef42yEV+LViVvugLWKYR3I8ZAQK+Cddz6m1KlMpow7ZEQj uSljS3Y1Qsm8puDpKEIYJL+DKkKyasNeAf1jwZwymTCFei5AFK/ISDCMi6VDt5A1 TOYG0dmwFXwIrHaRAPPh36j0Y9Z1KzlX4mH//rDfxI7U3uXlP/zTdSuREMCVZ2lH ApmkCV4GDlpCZW/2xwchCkPrks6/KLzRjvShzKxoBBn7dbJef88LxgYOazyEua8O 5kGQL6QGsfPnWiyBfW4TGsN2/UzIx3kpKwr8C1OLecoRVaG7bueznJBFTpXlH7q2 +Wve5sWDCctzDVzyjEi/N7T+VsfFJPZjSBty0aYNyttpVJCHU0yGTh9YslFTxPsA lEYzVvAGujTPr29x43aBUotXa3XjZfBPEHTj/SQWR9SqQ9ORunsmgsJigrajJeYj mqWmTrjbq1zhto7zpyF6ZP2r2vKdYU/p1nWDPS/KXQHQUqhZRCf0QjfH1G6NBDWj JLxHPIQt8zLk97HkaczFJGXNugWNe66i6a3q7GfDc/ym88feDXk= =3iR4 -----END PGP SIGNATURE-----