CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx
As I posted in #3086 (closed):
We have another zero-day, this one in libvpx: CVE-2023-5217
https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/
The webp vuln is probably a lot worse as it involves decoding images; this one seems to only affect browsers, messengers, and other apps that encode video. Also anything with webrtc by the looks of it.
For this one we might be able to grep for vulnerable versions (unless using a backported patch that kept the old version number of course):
$ strings fennec/.../libxul.so | grep 'WebM Project VP8 Encoder'
WebM Project VP8 Encoder v1.13.0
$ strings telegram-foss/.../libtmessages.46.so | grep 'WebM Project VP8 Encoder'
WebM Project VP8 Encoder v1.13.0
$ strings element/.../libjingle_peerconnection_so.so | grep 'WebM Project VP8 Encoder'
WebM Project VP8 Encoder v1.12.0-256-gb7c22b3a9
$ strings jitsi-meet/.../libjingle_peerconnection_so.so | grep 'WebM Project VP8 Encoder'
WebM Project VP8 Encoder v1.12.0-256-gb7c22b3a9Apps found in scan (#3087 (comment 1584484549)):
-
chat.fluffy.fluffychat, updated and new webrtc -
com.caydey.ffshare, upstream issue, development seems stalled -
com.cheogram.android- webrtc uses M117 from Conversations, updated -
com.cweb.messenger- webrtc (Conversations fork), upstream issue, updated to 2.12.12 -
com.databag, upstream issue, update live -
com.infomaniak.meet, upstream issue, update merged -
com.mattermost.rnbeta, upstream issue -
com.nextcloud.talk2, update live -
com.tutpro.baresip.plus, update live -
com.vladpen.cams, upstream issue -
com.wire, app rewritten, no eta -
com.zoffcc.applications.trifa, update live -
community.peers.internetradio, development seems stalled -
cx.ring, upstream issue -
d.d.meshenger, upstream issue -
de.hoppfoundation.klassenzimmer, development seems stalled -
de.monocles.chat- webrtc uses M117 from Conversations, updated -
de.pixart.messenger- webrtc (Conversations fork), stopped development -
de.spiritcroc.riotx, update live -
deckers.thibault.aves.libre, upstream issue -
eu.siacs.conversations- webrtc M117 patched with ported patch updated now -
ie.equalit.ceno -
im.quicksy.client- webrtc M117 patched with ported patch updated now -
im.vector.app, update live -
io.lbry.browser, development seems stalled -
ltd.evilcorp.atox, updated libs, needs to be released -
nekox.messenger, development seems stalled -
net.reichholf.dreamdroid, based on libvlc (see below), app dev is looking for a maintainer -
network.loki.messenger.fdroid, upstream issue -
org.atalk.android, update live -
org.avmedia.remotevideocam, upstream issue -
org.forkgram.messenger, based on Telegram FOSS see below, update live -
org.jellyfin.androidtv, upstream issue -
org.jitsi.meet, update live -
org.linphone, upstream issue -
org.mozilla.fennec_fdroid- updated -
org.simlar, upstream issue -
org.snikket.android- webrtc (Conversations fork), update live -
org.telegram.messenger- updated -
org.tigase.messenger.phone.pro, upstream issue, development seems stalled -
org.videolan.vlc, no updated versions tagged yet, https://floss.social/@fdroidorg/112150651327878218; not affected, as the libvpx encoder is not exposed -
us.spotco.fennec_dos- updated
Edited by Licaon_Kter