PT-2020-6123 · Google+9 · Libwebp+9

Published

2018-11-22

·

Updated

2021-11-30

·

CVE-2020-36330

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Name of the Vulnerable Software and Affected Versions libwebp versions prior to 1.0.1
Description The issue is related to an out-of-bounds read in the libwebp library, which is used for encoding and decoding WebP images. This can be exploited by a remote attacker to gain access to confidential information by creating a specially crafted file. The highest threat from this issue is to data confidentiality and service availability.
Recommendations For libwebp versions prior to 1.0.1, update to version 1.0.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the ChunkVerifyAndAssign function until a patch is available.

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

ALSA-2021:4231
ALT-PU-2018-2673
BDU:2021-03104
CESA-2021_4231
CVE-2020-36330
DLA-2677-1
DSA-4930-1
OPENSUSE-SU-2021:1860-1
OPENSUSE-SU-2021_1860-1
RHSA-2021:4231
RHSA-2021_4231
RLSA-2021:4231
SUSE-SU-2021:1830-1
SUSE-SU-2021:1860-1
USN-4971-1
USN-4971-2

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu
Libwebp