Heap Buffer Overflow Bug in libwebp Library -CVE-2023-5129

Google has reclassified a previously identified security vulnerability in the open-source libwebp library, which is used to encode and decode images in WebP format. The vulnerability, now tracked under CVE-2023-5129, allows attackers to execute out-of-bounds memory writes using maliciously crafted HTML pages which could lead to crashes, unauthorized code execution, and more alarmingly, access to classified information.

Google has unearthed a security vulnerability within its prolific Chrome browser, it was marked as CVE-2023-4863 and with deeper analysis, it has been identified and it resides at the heart of Google’s open-source libwebp library, a toolset designed to encode and decode the emerging WebP image format.

Google has assigned a fresh identity: CVE-2023-5129, alongside a daunting severity rating as 10. A heap buffer overflow in WebP, affecting Google Chrome versions earlier than 116.0.5845.187. This vulnerability is nestled within the Huffman coding algorithm, libwebp’s trusted aide for lossless compression. Through this flaw, potential adversaries can wield maliciously designed HTML pages to execute out-of-bounds memory writes.

A maliciously tailored WebP lossless file might lead libwebp into mistakenly writing data beyond its boundary to the heap. The oversights in the kTableSize array and ReplicateValue are essentially the broken locks in this security framework.

While the magnitude of the issue as a Chrome flaw was concerning, its reclassification makes it alarming, since most of the projects rely on the libwebp library, making them unwitting participants in this potential security debacle. Some of the giants affected include 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, and even the innate web browsers of Android devices.

The reclassification of CVE-2023-5129 as a critical vulnerability in libwebp is a significant development. The vulnerability affects a wide range of software and could have serious consequences for users. It is important to take steps to protect yourself from this vulnerability by updating your software and being careful about the images you open.