Taggart Sep 27, 2023
Wait what? Now it's not a valid CVE anymore?

#CVE_2023_5129
Taggart Sep 27, 2023
Okay, a continually-updated list of Electron apps and their Electron versions, and whether they're vulnerable to #CVE_2023_5129, aka #CVE_2023_4863.

https://docs.google.com/spreadsheets/d/1QLLFYCO0FMAu1ob6mnYCapW8dnx-HXunbf_zc9QLXlM/edit?usp=sharing


And for those of you who refuse to click on Google links: https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec
CVE-2023-5129 Tracker - Google Drive

Royce WilliamsSep 26, 2023

@campuscodi This article claims that it is a new CVE for the same vulnerability, to clarify scope?

https://stackdiary.com/heap-buffer-overflow-in-libwebp-cve-2023-5129/

But this seclists thread seems to say that CVE-2023-5129 is associated with libwebp commits that are different from the fixes associated with CVE-2023-4863 [Edit: but these are described by the issuer as cleanups]:

https://seclists.org/oss-sec/2023/q3/230

The seclists poster is reaching out to double-check whether it's new. Solar Designer's assessment is that it's probably the same (but that the cleanups in the code should be examined anyway):

https://seclists.org/oss-sec/2023/q3/236

#CVE20235129 #CVE20234863 #CVE_2023_4863 ##CVE_2023_5129 #libwebp

Google assigns a CVE for libwebp and gives it a 10.0 score

In case you missed the news, there's a critical 0day in WebP (a heap buffer overflow in the libwepb library) floating about, which was initially issued as

Stack Diary