CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx

As I posted in #3086 (closed):

We have another zero-day, this one in libvpx: CVE-2023-5217

https://www.openwall.com/lists/oss-security/2023/09/28/5

https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/


The webp vuln is probably a lot worse as it involves decoding images; this one seems to only affect browsers, messengers, and other apps that encode video. Also anything with webrtc by the looks of it.

For this one we might be able to grep for vulnerable versions (unless using a backported patch that kept the old version number of course):

$ strings fennec/.../libxul.so | grep 'WebM Project VP8 Encoder'
WebM Project VP8 Encoder v1.13.0
$ strings telegram-foss/.../libtmessages.46.so | grep 'WebM Project VP8 Encoder'
WebM Project VP8 Encoder v1.13.0
$ strings element/.../libjingle_peerconnection_so.so | grep 'WebM Project VP8 Encoder'
WebM Project VP8 Encoder v1.12.0-256-gb7c22b3a9
$ strings jitsi-meet/.../libjingle_peerconnection_so.so | grep 'WebM Project VP8 Encoder'
WebM Project VP8 Encoder v1.12.0-256-gb7c22b3a9

Apps found in scan (#3087 (comment 1584484549)):

Edited by Licaon_Kter