subject:"Bug#1051787\: Subject\: CVE\-2023\-4863\: Heap buffer overflow in WebP"

Processed: Re: Bug#1051787: Subject: CVE-2023-4863: Heap buffer overflow in WebP

2023-09-12 Thread Debian Bug Tracking System

Processing commands for cont...@bugs.debian.org:

> reassign 1051787 libwebp
Bug #1051787 [chromium] Subject: CVE-2023-4863: Heap buffer overflow in WebP
Bug #1051786 [chromium] CVE-2023-4863: Heap buffer overflow in WebP
Bug reassigned from package 'chromium' to 'libwebp'.
Bug reassigned from package 'chromium' to 'libwebp'.
No longer marked as found in versions chromium/116.0.5845.180-1.
No longer marked as found in versions chromium/116.0.5845.180-1.
Ignoring request to alter fixed versions of bug #1051787 to the same values 
previously set
Ignoring request to alter fixed versions of bug #1051786 to the same values 
previously set
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1051786: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051786
1051787: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051787
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1051787: Subject: CVE-2023-4863: Heap buffer overflow in WebP

2023-09-12 Thread Andres Salomon


reassign 1051787 libwebp
thanks


Actually I'm mistaken, we're building against the system libwebp so 
there's no need to update chromium at all for this CVE. The webp fix is 
the only (linux) change that chromium made between .180 and .187.





On Tue, Sep 12 2023 at 11:34:26 AM -04:00:00, Andres Salomon 
 wrote:

clone 1051787 -1
reassign -1 libwebp
thanks

This bug's actually in libwebp. Unfortunately we're still embedding 
it in chromium, so we likely need to fix both chromium *and* libwebp 
in debian. There hasn't been a libwebp release yet, but the two 
relevant git commits are


and what appears to be a followup fix to that,



On Tue, Sep 12 2023 at 09:12:40 AM -06:00:00, Jeffrey Cliff 
 wrote:

Package: chromium
Version: 116.0.5845.180-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team >


Dear Maintainer,

116.0.5845.187 fixes a critical remote vulnerability in chrome

[$NA][1479274] Critical CVE-2023-4863: Heap buffer overflow in WebP.
Reported by Apple Security Engineering and Architecture (SEAR) and 
The Citizen

Lab at The University of Torontoʼs Munk School on 2023-09-06



Might want to look into this at least

(attempt 3, my reportbug broke sorry)

Jeff Cliff

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-debug'), (500,
'oldstable-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-gnulibre (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled


Versions of packages chromium depends on:
pn  chromium-common
ii  libasound2 1.2.9-2
ii  libatk-bridge2.0-0 2.49.91-2
ii  libatk1.0-02.49.91-2
ii  libatomic1 13.2.0-3
ii  libatspi2.0-0  2.49.91-2
ii  libbrotli1 1.0.9-2+b6
ii  libc6  2.37-7
ii  libcairo2  1.17.8-3
ii  libcups2   2.4.2-5
ii  libdbus-1-31.14.10-1devuan1
ii  libdouble-conversion3  3.3.0-1
ii  libdrm22.4.115-1
ii  libevent-2.1-7 2.1.12-stable-8
ii  libexpat1  2.5.0-2
ii  libflac12  1.4.3+ds-2
ii  libfontconfig1 2.14.2-5
ii  libfreetype6   2.13.2+dfsg-1
ii  libgbm123.1.7-1
ii  libgcc-s1  13.2.0-3
ii  libglib2.0-0   2.77.3-1
ii  libgtk-3-0 3.24.38-4
ii  libjpeg62-turbo1:2.1.5-2
ii  libjsoncpp25   1.9.5-6
ii  liblcms2-2 2.14-2
ii  libminizip11:1.2.13.dfsg-3
ii  libnspr4   2:4.35-1.1
ii  libnss32:3.92-1
pn  libopenh264-7  
ii  libopenjp2-7   2.5.0-2
ii  libopus0   1.4-1
ii  libpango-1.0-0 1.51.0+ds-2
ii  libpng16-161.6.40-1
ii  libpulse0  16.1+dfsg1-2+b1
ii  libsnappy1v5   1.1.10-1
ii  libstdc++6 13.2.0-3
ii  libwebp7   1.2.4-0.2
ii  libwebpdemux2  1.2.4-0.2
ii  libwebpmux31.2.4-0.2
ii  libwoff1   1.0.2-2
ii  libx11-6   2:1.8.6-1
ii  libxcb11.15-1
ii  libxcomposite1 1:0.4.5-1
ii  libxdamage11:1.1.6-1
ii  libxext6   2:1.3.4-1+b1
ii  libxfixes3 1:6.0.0-2
ii  libxkbcommon0  1.5.0-1
ii  libxml22.9.14+dfsg-1.3
ii  libxnvctrl0525.125.06-1
ii  libxrandr2 2:1.5.2-2+b1
ii  libxslt1.1 1.1.35-1
ii  zlib1g 1:1.2.13.dfsg-3

Versions of packages chromium recommends:
pn  chromium-sandbox  

Versions of packages chromium suggests:
pn  chromium-driver  
pn  chromium-l10n
pn  chromium-shell

Bug#1051787: Subject: CVE-2023-4863: Heap buffer overflow in WebP

2023-09-12 Thread Andres Salomon


clone 1051787 -1
reassign -1 libwebp
thanks

This bug's actually in libwebp. Unfortunately we're still embedding it 
in chromium, so we likely need to fix both chromium *and* libwebp in 
debian. There hasn't been a libwebp release yet, but the two relevant 
git commits are


and what appears to be a followup fix to that,



On Tue, Sep 12 2023 at 09:12:40 AM -06:00:00, Jeffrey Cliff 
 wrote:

Package: chromium
Version: 116.0.5845.180-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team >


Dear Maintainer,

116.0.5845.187 fixes a critical remote vulnerability in chrome

[$NA][1479274] Critical CVE-2023-4863: Heap buffer overflow in WebP.
Reported by Apple Security Engineering and Architecture (SEAR) and 
The Citizen

Lab at The University of Torontoʼs Munk School on 2023-09-06



Might want to look into this at least

(attempt 3, my reportbug broke sorry)

Jeff Cliff

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-debug'), (500,
'oldstable-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-gnulibre (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled


Versions of packages chromium depends on:
pn  chromium-common
ii  libasound2 1.2.9-2
ii  libatk-bridge2.0-0 2.49.91-2
ii  libatk1.0-02.49.91-2
ii  libatomic1 13.2.0-3
ii  libatspi2.0-0  2.49.91-2
ii  libbrotli1 1.0.9-2+b6
ii  libc6  2.37-7
ii  libcairo2  1.17.8-3
ii  libcups2   2.4.2-5
ii  libdbus-1-31.14.10-1devuan1
ii  libdouble-conversion3  3.3.0-1
ii  libdrm22.4.115-1
ii  libevent-2.1-7 2.1.12-stable-8
ii  libexpat1  2.5.0-2
ii  libflac12  1.4.3+ds-2
ii  libfontconfig1 2.14.2-5
ii  libfreetype6   2.13.2+dfsg-1
ii  libgbm123.1.7-1
ii  libgcc-s1  13.2.0-3
ii  libglib2.0-0   2.77.3-1
ii  libgtk-3-0 3.24.38-4
ii  libjpeg62-turbo1:2.1.5-2
ii  libjsoncpp25   1.9.5-6
ii  liblcms2-2 2.14-2
ii  libminizip11:1.2.13.dfsg-3
ii  libnspr4   2:4.35-1.1
ii  libnss32:3.92-1
pn  libopenh264-7  
ii  libopenjp2-7   2.5.0-2
ii  libopus0   1.4-1
ii  libpango-1.0-0 1.51.0+ds-2
ii  libpng16-161.6.40-1
ii  libpulse0  16.1+dfsg1-2+b1
ii  libsnappy1v5   1.1.10-1
ii  libstdc++6 13.2.0-3
ii  libwebp7   1.2.4-0.2
ii  libwebpdemux2  1.2.4-0.2
ii  libwebpmux31.2.4-0.2
ii  libwoff1   1.0.2-2
ii  libx11-6   2:1.8.6-1
ii  libxcb11.15-1
ii  libxcomposite1 1:0.4.5-1
ii  libxdamage11:1.1.6-1
ii  libxext6   2:1.3.4-1+b1
ii  libxfixes3 1:6.0.0-2
ii  libxkbcommon0  1.5.0-1
ii  libxml22.9.14+dfsg-1.3
ii  libxnvctrl0525.125.06-1
ii  libxrandr2 2:1.5.2-2+b1
ii  libxslt1.1 1.1.35-1
ii  zlib1g 1:1.2.13.dfsg-3

Versions of packages chromium recommends:
pn  chromium-sandbox  

Versions of packages chromium suggests:
pn  chromium-driver  
pn  chromium-l10n
pn  chromium-shell

Processed (with 2 errors): Re: Bug#1051787: Subject: CVE-2023-4863: Heap buffer overflow in WebP

2023-09-12 Thread Debian Bug Tracking System

Processing commands for cont...@bugs.debian.org:

> clone 1051787 -1
Bug #1051787 [chromium] Subject: CVE-2023-4863: Heap buffer overflow in WebP
Bug #1051786 [chromium] CVE-2023-4863: Heap buffer overflow in WebP
Failed to clone 1051787: Bug is marked as being merged with others. Use an 
existing clone.

> reassign -1 libwebp
Failed to clear fixed versions and reopen on -1: The 'bug' parameter ("-1") to 
Debbugs::Control::set_package did not pass regex check
.

> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1051787: Subject: CVE-2023-4863: Heap buffer overflow in WebP

2023-09-12 Thread Jeffrey Cliff

Package: chromium
Version: 116.0.5845.180-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team 

Dear Maintainer,

116.0.5845.187 fixes a critical remote vulnerability in chrome

[$NA][1479274] Critical CVE-2023-4863: Heap buffer overflow in WebP.
Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen
Lab at The University of Torontoʼs Munk School on 2023-09-06

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html

Might want to look into this at least

(attempt 3, my reportbug broke sorry)

Jeff Cliff

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-debug'), (500,
'oldstable-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-gnulibre (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled


Versions of packages chromium depends on:
pn  chromium-common
ii  libasound2 1.2.9-2
ii  libatk-bridge2.0-0 2.49.91-2
ii  libatk1.0-02.49.91-2
ii  libatomic1 13.2.0-3
ii  libatspi2.0-0  2.49.91-2
ii  libbrotli1 1.0.9-2+b6
ii  libc6  2.37-7
ii  libcairo2  1.17.8-3
ii  libcups2   2.4.2-5
ii  libdbus-1-31.14.10-1devuan1
ii  libdouble-conversion3  3.3.0-1
ii  libdrm22.4.115-1
ii  libevent-2.1-7 2.1.12-stable-8
ii  libexpat1  2.5.0-2
ii  libflac12  1.4.3+ds-2
ii  libfontconfig1 2.14.2-5
ii  libfreetype6   2.13.2+dfsg-1
ii  libgbm123.1.7-1
ii  libgcc-s1  13.2.0-3
ii  libglib2.0-0   2.77.3-1
ii  libgtk-3-0 3.24.38-4
ii  libjpeg62-turbo1:2.1.5-2
ii  libjsoncpp25   1.9.5-6
ii  liblcms2-2 2.14-2
ii  libminizip11:1.2.13.dfsg-3
ii  libnspr4   2:4.35-1.1
ii  libnss32:3.92-1
pn  libopenh264-7  
ii  libopenjp2-7   2.5.0-2
ii  libopus0   1.4-1
ii  libpango-1.0-0 1.51.0+ds-2
ii  libpng16-161.6.40-1
ii  libpulse0  16.1+dfsg1-2+b1
ii  libsnappy1v5   1.1.10-1
ii  libstdc++6 13.2.0-3
ii  libwebp7   1.2.4-0.2
ii  libwebpdemux2  1.2.4-0.2
ii  libwebpmux31.2.4-0.2
ii  libwoff1   1.0.2-2
ii  libx11-6   2:1.8.6-1
ii  libxcb11.15-1
ii  libxcomposite1 1:0.4.5-1
ii  libxdamage11:1.1.6-1
ii  libxext6   2:1.3.4-1+b1
ii  libxfixes3 1:6.0.0-2
ii  libxkbcommon0  1.5.0-1
ii  libxml22.9.14+dfsg-1.3
ii  libxnvctrl0525.125.06-1
ii  libxrandr2 2:1.5.2-2+b1
ii  libxslt1.1 1.1.35-1
ii  zlib1g 1:1.2.13.dfsg-3

Versions of packages chromium recommends:
pn  chromium-sandbox  

Versions of packages chromium suggests:
pn  chromium-driver  
pn  chromium-l10n
pn  chromium-shell

Processed: Re: Bug#1051787: Subject: CVE-2023-4863: Heap buffer overflow in WebP

Bug#1051787: Subject: CVE-2023-4863: Heap buffer overflow in WebP

Bug#1051787: Subject: CVE-2023-4863: Heap buffer overflow in WebP

Processed (with 2 errors): Re: Bug#1051787: Subject: CVE-2023-4863: Heap buffer overflow in WebP

Bug#1051787: Subject: CVE-2023-4863: Heap buffer overflow in WebP

5 matches

Site Navigation

Mail list logo

Footer information