libwebp has critical cve-2023-4863
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libgd2 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
There is a buffer overflow bug cve-2023-4863 in libwebp which is getting actively attacked in the wild (e.g. Chromium assigned this Critical severity).
According to my research gd uses libwebp and php-gd/libgd does not use the dynamically linked version from the libwebp package.
So I assume, that if libgd is vulnerable, it would still vulnerable if the libwebp package gets fixed.
So if libwebp is vulnerable it should be tracked separately from libwebp; and show e.g. on https:/
We use libgd, but security analysis showed our systems do won't handle webp files to gd, so we should not be vulnerable, but a lot of services would be.
I do not have the resources to code-dive/make a proof of concept. But I think it is critical that someone can rule out that cve-2023-4863 in php-gd / build against a patched version of libwebp; also e.g. for xenial.
information type: | Private Security → Public Security |
Thank you for the report A333!
I could not find the affected source code [0] in the xenial or mantic version of libgd2. Mantic does use libwebp-dev as a build dependency.
Does the php-gd package go by another name?
From Debian's codesearch [1] I am not seeing other affected packages.
I truly appreciate the check. Thank you.
[0] https:/ /gitlab. freedesktop. org/gstreamer/ gstreamer/ -/merge_ requests/ 4896.patch /codesearch. debian. net/search? q=gstspu- pgs.c&literal= 1
[1] https:/