-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: libwebp security update Advisory ID: RHSA-2021:4231-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4231 Issue date: 2021-11-09 CVE Names: CVE-2018-25009 CVE-2018-25010 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332 ==================================================================== 1. Summary: An update for libwebp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format (RIFF). Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently. Security Fix(es): * libwebp: out-of-bounds read in WebPMuxCreateInternal (CVE-2018-25009) * libwebp: out-of-bounds read in ApplyFilter() (CVE-2018-25010) * libwebp: out-of-bounds read in WebPMuxCreateInternal() (CVE-2018-25012) * libwebp: out-of-bounds read in ShiftBytes() (CVE-2018-25013) * libwebp: use of uninitialized value in ReadSymbol() (CVE-2018-25014) * libwebp: out-of-bounds read in ChunkVerifyAndAssign() in mux/muxread.c (CVE-2020-36330) * libwebp: out-of-bounds read in ChunkAssignData() in mux/muxinternal.c (CVE-2020-36331) * libwebp: excessive memory allocation when reading a file (CVE-2020-36332) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1956853 - CVE-2020-36330 libwebp: out-of-bounds read in ChunkVerifyAndAssign() in mux/muxread.c 1956856 - CVE-2020-36331 libwebp: out-of-bounds read in ChunkAssignData() in mux/muxinternal.c 1956868 - CVE-2020-36332 libwebp: excessive memory allocation when reading a file 1956917 - CVE-2018-25009 libwebp: out-of-bounds read in WebPMuxCreateInternal 1956918 - CVE-2018-25010 libwebp: out-of-bounds read in ApplyFilter() 1956922 - CVE-2018-25012 libwebp: out-of-bounds read in WebPMuxCreateInternal() 1956926 - CVE-2018-25013 libwebp: out-of-bounds read in ShiftBytes() 1956927 - CVE-2018-25014 libwebp: use of uninitialized value in ReadSymbol() 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: libwebp-1.0.0-5.el8.src.rpm aarch64: libwebp-1.0.0-5.el8.aarch64.rpm libwebp-debuginfo-1.0.0-5.el8.aarch64.rpm libwebp-debugsource-1.0.0-5.el8.aarch64.rpm libwebp-devel-1.0.0-5.el8.aarch64.rpm libwebp-java-debuginfo-1.0.0-5.el8.aarch64.rpm libwebp-tools-debuginfo-1.0.0-5.el8.aarch64.rpm ppc64le: libwebp-1.0.0-5.el8.ppc64le.rpm libwebp-debuginfo-1.0.0-5.el8.ppc64le.rpm libwebp-debugsource-1.0.0-5.el8.ppc64le.rpm libwebp-devel-1.0.0-5.el8.ppc64le.rpm libwebp-java-debuginfo-1.0.0-5.el8.ppc64le.rpm libwebp-tools-debuginfo-1.0.0-5.el8.ppc64le.rpm s390x: libwebp-1.0.0-5.el8.s390x.rpm libwebp-debuginfo-1.0.0-5.el8.s390x.rpm libwebp-debugsource-1.0.0-5.el8.s390x.rpm libwebp-devel-1.0.0-5.el8.s390x.rpm libwebp-java-debuginfo-1.0.0-5.el8.s390x.rpm libwebp-tools-debuginfo-1.0.0-5.el8.s390x.rpm x86_64: libwebp-1.0.0-5.el8.i686.rpm libwebp-1.0.0-5.el8.x86_64.rpm libwebp-debuginfo-1.0.0-5.el8.i686.rpm libwebp-debuginfo-1.0.0-5.el8.x86_64.rpm libwebp-debugsource-1.0.0-5.el8.i686.rpm libwebp-debugsource-1.0.0-5.el8.x86_64.rpm libwebp-devel-1.0.0-5.el8.i686.rpm libwebp-devel-1.0.0-5.el8.x86_64.rpm libwebp-java-debuginfo-1.0.0-5.el8.i686.rpm libwebp-java-debuginfo-1.0.0-5.el8.x86_64.rpm libwebp-tools-debuginfo-1.0.0-5.el8.i686.rpm libwebp-tools-debuginfo-1.0.0-5.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-25009 https://access.redhat.com/security/cve/CVE-2018-25010 https://access.redhat.com/security/cve/CVE-2018-25012 https://access.redhat.com/security/cve/CVE-2018-25013 https://access.redhat.com/security/cve/CVE-2018-25014 https://access.redhat.com/security/cve/CVE-2020-36330 https://access.redhat.com/security/cve/CVE-2020-36331 https://access.redhat.com/security/cve/CVE-2020-36332 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYYrdV9zjgjWX9erEAQjPKw//b87QnRCt7mK8HBE36Ryh32/KlNTbdNl6 KXkxyVMUVTaofuqdPoXmJOCUkaVUIxypxj4rnYKDIkRiWMIjTs11j5N17GRbUzC8 j0BLMniOja5AoeYJaRd3hSaJEh4Pwq7a1kYhlxwcJxQ2XUHLBNa8++aItgRcpfOv ANQKsfjppoLqTAvgSNwvbLEG+yiObS/oj3wxZpIL1LVgAFiHQZBgAQYci6Oi712Y O3zyuq5jWkGcPtvp+v62fv3vVM4lqMcDna59O8DpcPmgwDgnJjQv8hd6WsIjMc6l ofXaipBrUlr5viTMDBMt36Vel2M4mvIcfrA+4walNO0mGpMrB/2ukqyn2yMzO8dl zmMGw4XsBFVKvqjkjiIApyn2UtmPelOyjDwr0WnUvrx/CprW/cxhA1Ou1tSPwMEE 0DIvANBtNLMm//1juXKSUUew8lKy32I06hrp9bLq44p15DeC1cab7V1cb1e+urWm Pa3ZiUHvFpiKK5hRrAx64I0ZDle0vgwe92OIi5ibT+FT6F5dL4cnbhv/6pDi/saP YDZlQNidSs8QYRWRJdXCH7EDCRyncZjFKTrnuJhpJ/Iz8cCIl0JjtnbeVaW7iHsI qnqSANHZV+iVrSJEav8JLmWWkrf9HYlixI6udpG5cZmNt4Be9q6f8WIguq7mPy3k lJzqUU7nXTw=nPk5 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce