| Name | CVE-2023-1999 |
| Description | There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3391-1, DLA-3400-1, DLA-3439-1, DSA-5385-1, DSA-5392-1, DSA-5408-1 |
| Debian Bugs | 1035371 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| firefox (PTS) | sid | 133.0.3-1 | fixed |
| firefox-esr (PTS) | bullseye | 115.14.0esr-1~deb11u1 | fixed |
| bullseye (security) | 128.5.0esr-1~deb11u1 | fixed | |
| bookworm | 128.3.1esr-1~deb12u1 | fixed | |
| bookworm (security) | 128.5.0esr-1~deb12u1 | fixed | |
| trixie | 128.5.0esr-1 | fixed | |
| sid | 128.5.1esr-1 | fixed | |
| libwebp (PTS) | bullseye (security), bullseye | 0.6.1-2.1+deb11u2 | fixed |
| bookworm, bookworm (security) | 1.2.4-0.2+deb12u1 | fixed | |
| sid, trixie | 1.4.0-0.1 | fixed | |
| thunderbird (PTS) | bullseye | 1:115.12.0-1~deb11u1 | fixed |
| bullseye (security) | 1:128.5.0esr-1~deb11u1 | fixed | |
| bookworm | 1:115.16.0esr-1~deb12u1 | fixed | |
| bookworm (security) | 1:128.5.0esr-1~deb12u1 | fixed | |
| sid, trixie | 1:128.5.2esr-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| firefox | source | (unstable) | 112.0-1 | |||
| firefox-esr | source | buster | 102.10.0esr-1~deb10u1 | DLA-3391-1 | ||
| firefox-esr | source | bullseye | 102.10.0esr-1~deb11u1 | DSA-5385-1 | ||
| firefox-esr | source | (unstable) | 102.10.0esr-1 | |||
| libwebp | source | buster | 0.6.1-2+deb10u2 | DLA-3439-1 | ||
| libwebp | source | bullseye | 0.6.1-2.1+deb11u1 | DSA-5408-1 | ||
| libwebp | source | (unstable) | 1.2.4-0.2 | 1035371 | ||
| thunderbird | source | buster | 1:102.10.0-1~deb10u1 | DLA-3400-1 | ||
| thunderbird | source | bullseye | 1:102.10.0-1~deb11u1 | DSA-5392-1 | ||
| thunderbird | source | (unstable) | 1:102.10.0-1 |
https://www.mozilla.org/en-US/security/advisories/mfsa2023-13/#CVE-2023-1999
https://www.mozilla.org/en-US/security/advisories/mfsa2023-14/#CVE-2023-1999
https://www.mozilla.org/en-US/security/advisories/mfsa2023-15/#CVE-2023-1999
https://bugzilla.mozilla.org/show_bug.cgi?id=1819244 (not public)
https://hg.mozilla.org/releases/mozilla-esr102/rev/53b805c752ff23080e100eda2b3b4280d4370b2e
https://chromium.googlesource.com/webm/libwebp/+/4654e1e7381044717d5d3e0dd7e735633a3ff300 (1.3.0)
Fixed by: https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129 (v1.3.1-rc1)
Introduced by: https://github.com/webmproject/libwebp/commit/187d379db68839f76d1390be291c471f2f66644c (v0.5.0-rc1)
Introduced by: https://github.com/webmproject/libwebp/commit/5692eae1f3efd8b7b47398a9f5d74f1dc6f64e7f (backport; v0.4.2-rc2)