Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6284ffe9-d228-46f0-be8c-c7f78a030523@oracle.com>
Date: Sat, 30 Sep 2023 13:38:27 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx

On 9/28/23 11:37, Alan Coopersmith wrote:
> It does not appear that libvpx 1.13.1 has been released yet,

It was released yesterday, with the note:

    "This release contains two security related fixes. One each for VP8 and VP9."

    https://github.com/webmproject/libvpx/releases/tag/v1.13.1

CVE-2023-44488 has been assigned to the VP9 bug:

    "VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related
     to encoding."

    https://www.cve.org/CVERecord?id=CVE-2023-44488

It points to this commit for the fix:

    https://github.com/webmproject/libvpx/commit/263682c9a29395055f3b3afe2d97be1828a6223f

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris


Download attachment "OpenPGP_0xA2FB9E081F2D130E.asc" of type "application/pgp-keys" (8713 bytes)

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.