libwebp has critical cve-2023-4863
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| libgd2 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
There is a buffer overflow bug cve-2023-4863 in libwebp which is getting actively attacked in the wild (e.g. Chromium assigned this Critical severity).
According to my research gd uses libwebp and php-gd/libgd does not use the dynamically linked version from the libwebp package.
So I assume, that if libgd is vulnerable, it would still vulnerable if the libwebp package gets fixed.
So if libwebp is vulnerable it should be tracked separately from libwebp; and show e.g. on https:/
We use libgd, but security analysis showed our systems do won't handle webp files to gd, so we should not be vulnerable, but a lot of services would be.
I do not have the resources to code-dive/make a proof of concept. But I think it is critical that someone can rule out that cve-2023-4863 in php-gd / build against a patched version of libwebp; also e.g. for xenial.
| Mark Esler (eslerm) wrote | #1 |
| Marc Deslauriers (mdeslaur) wrote | #2 |
| Changed in libgd2 (Ubuntu): | |
| status: | New → Fix Released |
| status: | Fix Released → Invalid |
| Marc Deslauriers (mdeslaur) wrote | #3 |
| information type: | Private Security → Public Security |
Thank you for the report A333!
I could not find the affected source code [0] in the xenial or mantic version of libgd2. Mantic does use libwebp-dev as a build dependency.
Does the php-gd package go by another name?
From Debian's codesearch [1] I am not seeing other affected packages.
I truly appreciate the check. Thank you.
[0] https:/
[1] https:/