A critical 0day in WebP (heap buffer overflow in the bookcase libwepb), which was originally listed as CVE-2023-4863 and registered specifically for Google Chrome.
So we just learned that Google has issued a separate CVE, which is tracked at CVE-2023-5129. The severity score for this particular 0day is at 10, meaning it has the highest rating.
What does this mean; This is not a new one error στο libwebp. Είναι το ίδιο σφάλμα που περιγράφεται στο CVE-2023-4863, αλλά τώρα αναφέρεται πιο σωστά σαν σφάλμα στο WebP Codec και όχι σαν “σφάλμα του Google Chrome".
Versions affected by this bug are 0.5.0 to 1.3.2. The type of software affected is almost any software that directly uses the WebP Codec to render images.
Only the last ones two weeks, except for the major browsers (most of which have been fixed by now) – I've seen fixes from Red Hat and Debian in software such as Puppeteer and the .NET library for ImageMagick.
Ben Hawkes (former director of Project Zero) wrote about it on 0day:
The bad news is that Android is still likely to be affected. As with Apple's ImageIO, Android has a feature called BitmapFactory that handles the decodification pictureand of course it is supported by libwebp. To date, Android has not released an update that fixes CVE-2023-4863. To put this into context: if this bug affects Android, then exploits could potentially be released for remote attacks on apps like Signal and WhatsApp. I would expect it to be fixed with the October updates.
Ben's article also has a Proof of example Concept along with other interesting ones notes.