Chromium Embedded Framework Forum

[HarmlessDave]

https://nvd.nist.gov/vuln/detail/CVE-2023-4863 - "Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)"

This CVE was only posted 2 days ago but it seems pretty serious.

Has the Chromium patch for this already been added to CEF 116 (5845) and 117 (5938) or is that coming in a future update?

[magreenblatt]

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187

CEF M116 builds are currently at 116.0.5845.189, so it sounds like those will include the fix. Do you know what version of M117 includes the fix?

[HarmlessDave]

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187

CEF M116 builds are currently at 116.0.5845.189, so it sounds like those will include the fix. Do you know what version of M117 includes the fix?

Sorry, no. It isn't clear from the CVE what the minimum 117 version is, but I noticed there was a Google Chrome update today to Version 117.0.5938.63 (Official Build) (64-bit) that was probably to add the fix.

[ndesktop]

https://chromereleases.googleblog.com/2 ... op_11.html
Looks like fixed in 116.0.5845.187.

Edit: I think this is the fix. This is the DEPS commit.

For M117 I see the same commit here at 09-09-2023 22:56 then follows 117.0.5938.60 after 1+ hour on 09-09-2023 00:13.
So:
- M116: 116.0.5845.187
- M117: 117.0.5938.60

[amaitland]

Chrome 117.0.5938.62 (Linux and Mac), 117.0.5938.62/.63( Windows)

https://chromereleases.googleblog.com/2 ... 2.html?m=1

[magreenblatt]

There's another related CVE (CVE-2023-5217) that is fixed in Chromium 117.0.5938.132. This one is triggered by WebCodecs API encoder usage, so a workaround for older versions is to disable the WebCodecs API (`--disable-blink-features=WebCodecs`).