CVE-2023-4863

Name	CVE-2023-4863
Description	Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3568-1, DLA-3569-1, DLA-3570-1, DSA-5496-1, DSA-5497-1, DSA-5497-2, DSA-5498-1
Debian Bugs	1051787

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
chromium (PTS)	buster, buster (security)	90.0.4430.212-1~deb10u1	vulnerable
	bullseye	112.0.5615.138-1~deb11u1	vulnerable
	bullseye (security)	117.0.5938.62-1~deb11u1	vulnerable
	bookworm	114.0.5735.198-1~deb12u1	vulnerable
	bookworm (security)	117.0.5938.62-1~deb12u1	vulnerable
	trixie	116.0.5845.140-1	vulnerable
	sid	117.0.5938.62-1	fixed
firefox (PTS)	sid	117.0.1-1	fixed
firefox-esr (PTS)	buster	91.12.0esr-1~deb10u1	vulnerable
	buster (security)	102.15.1esr-1~deb10u1	fixed
	bullseye	102.10.0esr-1~deb11u1	vulnerable
	bullseye (security)	102.15.1esr-1~deb11u1	fixed
	bookworm	102.13.0esr-1~deb12u1	vulnerable
	bookworm (security)	102.15.1esr-1~deb12u1	fixed
	sid, trixie	115.2.1esr-1	fixed
libwebp (PTS)	buster	0.6.1-2+deb10u1	vulnerable
	buster (security)	0.6.1-2+deb10u3	fixed
	bullseye	0.6.1-2.1	vulnerable
	bullseye (security)	0.6.1-2.1+deb11u2	fixed
	bookworm	1.2.4-0.2	vulnerable
	bookworm (security)	1.2.4-0.2+deb12u1	fixed
	sid, trixie	1.3.2-0.3	fixed
thunderbird (PTS)	buster	1:91.12.0-1~deb10u1	vulnerable
	buster (security)	1:102.15.1-1~deb10u1	fixed
	bullseye	1:102.10.0-1~deb11u1	vulnerable
	bullseye (security)	1:102.15.1-1~deb11u1	fixed
	bookworm	1:102.13.0-1~deb12u1	vulnerable
	bookworm (security)	1:102.15.1-1~deb12u1	fixed
	sid, trixie	1:115.2.2-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
chromium	source	buster	(unfixed)	end-of-life
chromium	source	(unstable)	117.0.5938.62-1	unimportant
firefox	source	(unstable)	117.0.1-1
firefox-esr	source	buster	102.15.1esr-1~deb10u1		DLA-3568-1
firefox-esr	source	bullseye	102.15.1esr-1~deb11u1		DSA-5496-1
firefox-esr	source	bookworm	102.15.1esr-1~deb12u1		DSA-5496-1
firefox-esr	source	(unstable)	115.2.1esr-1
libwebp	source	buster	0.6.1-2+deb10u3		DLA-3570-1
libwebp	source	bullseye	0.6.1-2.1+deb11u2		DSA-5497-2
libwebp	source	bookworm	1.2.4-0.2+deb12u1		DSA-5497-1
libwebp	source	(unstable)	1.2.4-0.3			1051787
thunderbird	source	buster	1:102.15.1-1~deb10u1		DLA-3569-1
thunderbird	source	bullseye	1:102.15.1-1~deb11u1		DSA-5498-1
thunderbird	source	bookworm	1:102.15.1-1~deb12u1		DSA-5498-1
thunderbird	source	(unstable)	1:115.2.2-1

Notes

[buster] - chromium <end-of-life> (see DSA 5046)
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
src:chromium builds against the system libwebp library
Fixed by: https://chromium.googlesource.com/webm/libwebp.git/+/902bc9190331343b2017211debcec8d2ab87e17a%5E%21/
Followup: https://chromium.googlesource.com/webm/libwebp.git/+/95ea5226c870449522240ccff26f0b006037c520%5E%21/#F0
https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/#CVE-2023-4863