Google quietly corrects previously submitted disclosure for critical Webp 0-day

Enlarge / Malware Detected Warning Screen with abstract binary coded 3D digital concept Getty Pictures
Google has calmly resubmitted A disclosure of A critical code execution vulnerability affecting thousands of individual apps And software executives After It is previous submission LEFT readers with THE deceived impression that THE threat affected only THE Chromium browser.

THE vulnerability comes from In THE libwebp coded library, which Google created In 2010 For rendering pictures In webp, A SO new format that successful In files that were up has 26 percent smaller as compared with has PNG pictures. Libwebp East incorporated In just about each application, Operating system, Or other coded library that makes webp pictures, most notably THE Electron frame used In Chromium And a lot other apps that run on both desktop computer And mobile devices.
Two weeks There is, Google issued A security advisory For What he said was A heap buffer overflow In WebP In Chromium. that of Google official description, follow up as CVE-2023-4863, scope THE affected supplier as "Google" And THE software affected as "Chromium," even However any of them coded that used libwebp was vulnerable. Reviews warned that that of Google failure has note that thousands of other pieces of coded were Also vulnerable would be result In useless delays In patch THE vulnerability, which allow attackers has execute malicious coded When users TO DO Nothing more that see A trap webp picture.
Enlarge
On Monday, Google submitted A new disclosure It is follow up as CVE-2023-5129. THE new entrance correctly lists libwebp as THE affected supplier And affected software. He Also bumps up THE gravity rating of THE vulnerability, Since 8.8 out of A possible ten has 10.

Enlarge
THE lack of completeness In THE First of all CVE Google assigned go GOOD beyond be A simple academic fail. More that two weeks After THE vulnerability came has light, A host of software remains not corrected. THE most blatant example East Microsoft Teams.

THE vulnerability description In that of Google new submission provides considerably more detail. THE description In THE old submission was:

Heap buffer overflow In WebP In Google Chromium Before has 116.0.5845.187 allowed A remote attacker has perform A out of terminals memory to write via A made HTML page. (Chromium security severity: Review)

THE new description is:

With A especially made WebP without loss deposit, libwebp can to write data out of terminals has THE heap. THE ReadHuffmanCodes() function allocate THE Huffman code buffer with A size that come Since A painting of precalculated sizes: kTableSize. THE color_cache_bits value defines which size has to use. THE kTableSize painting only takes In account sizes For 8 bit first level painting research but not second level painting research. libwebp allow codes that are up has 15 bit (MAX_ALLOWED_CODE_...

Technology Sep 27, 2023 0 26 Add to Reading List

Google quietly corrects previously submitted disclosure for critical Webp 0-day

Malware detected warning screen with abstract binary code 3D digital concept

Google has calmly resubmitted A disclosure of A critical code execution vulnerability affecting thousands of individual apps And software executives After It is previous submission LEFT readers with THE deceived impression that THE threat affected only THE Chromium browser.

THE vulnerability comes from In THE libwebp coded library, which Google created In 2010 For rendering pictures In webp, A SO new format that successful In files that were up has 26 percent smaller as compared with has PNG pictures. Libwebp East incorporated In just about each application, Operating system, Or other coded library that makes webp pictures, most notably THE Electron frame used In Chromium And a lot other apps that run on both desktop computer And mobile devices.

Two weeks There is, Google issued A security advisory For What he said was A heap buffer overflow In WebP In Chromium. that of Google official description, follow up as CVE-2023-4863, scope THE affected supplier as "Google" And THE software affected as "Chromium," even However any of them coded that used libwebp was vulnerable. Reviews warned that that of Google failure has note that thousands of other pieces of coded were Also vulnerable would be result In useless delays In patch THE vulnerability, which allow attackers has execute malicious coded When users TO DO Nothing more that see A trap webp picture.

On Monday, Google submitted A new disclosure It is follow up as CVE-2023-5129. THE new entrance correctly lists libwebp as THE affected supplier And affected software. He Also bumps up THE gravity rating of THE vulnerability, Since 8.8 out of A possible ten has 10.

THE lack of completeness In THE First of all CVE Google assigned go GOOD beyond be A simple academic fail. More that two weeks After THE vulnerability came has light, A host of software remains not corrected. THE most blatant example East Microsoft Teams.

THE vulnerability description In that of Google new submission provides considerably more detail. THE description In THE old submission was:

Heap buffer overflow In WebP In Google Chromium Before has 116.0.5845.187 allowed A remote attacker has perform A out of terminals memory to write via A made HTML page. (Chromium security severity: Review)

THE new description is:

With A especially made WebP without loss deposit, libwebp can to write data out of terminals has THE heap. THE ReadHuffmanCodes() function allocate THE Huffman code buffer with A size that come Since A painting of precalculated sizes: kTableSize. THE color_cache_bits value defines which size has to use. THE kTableSize painting only takes In account sizes For 8 bit first level painting research but not second level painting research. libwebp allow codes that are up has 15 bit (MAX_ALLOWED_CODE_...