home.social
Sign in Create account

#cve20235129 — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #cve20235129, aggregated by home.social.

  1. d0pp3l6ang3r :verified: :donor: @[email protected] ·

    Good Morning, story so far on the next log4j level #vulnerability #CVE20234863 #CVE20235129
    #0day #Chrome #iOS

    • libwebp library is vulnerable to heap overflow and can lead to RCE.
    • Apple assigned #CVE202341064 and #CVE202341061. Also actively exploited by #blastpass
    • #Google assigned #CVE20235129 for Chrome 0day and also exploited
    • Millions of apps and software use this library. See list sofar in 🧵
    • #CVE20235129 was rejected by NVD earlier due to all this confusion of several vendors assigning CVEs affecting their products
    • This will lead to vulnerability scanners not being able to correctly identify if your assets are affected with libwebp. #infosec #sectoot
    #cve20234863 #cve20235129 #0day #chrome #ios #cve202341064
  2. Royce Williams @[email protected] ·

    @campuscodi This article claims that it is a new CVE for the same vulnerability, to clarify scope?

    stackdiary.com/heap-buffer-ove

    But this seclists thread seems to say that CVE-2023-5129 is associated with libwebp commits that are different from the fixes associated with CVE-2023-4863 [Edit: but these are described by the issuer as cleanups]:

    seclists.org/oss-sec/2023/q3/2

    The seclists poster is reaching out to double-check whether it's new. Solar Designer's assessment is that it's probably the same (but that the cleanups in the code should be examined anyway):

    seclists.org/oss-sec/2023/q3/2

    #CVE20235129 #CVE20234863 #CVE_2023_4863 ##CVE_2023_5129 #libwebp

    #cve20235129 #cve20234863 #cve_2023_4863 #cve_2023_5129 #libwebp