Bug 1217615 (CVE-2023-6351)

Summary: VUL-0: CVE-2023-6351: libavif,chromium,ungoogled-chromium,nodejs-electron: use-after-free in colorProperties
Product: [openSUSE] openSUSE Distribution Reporter: Andreas Stieger <Andreas.Stieger>
Component: SecurityAssignee: Yifan Jiang <yfjiang>
Status: NEW --- QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P3 - Medium CC: abergmann, asn, brunopitrus, gianluca.gabrielli, gmbr3, m.szczepaniak.000, security-team, stoyan.manolov
Version: Leap 15.5Flags: yfjiang: needinfo? (stoyan.manolov)
Target Milestone: ---   
Hardware: Other   
OS: Other   
See Also: https://bugzilla.opensuse.org/show_bug.cgi?id=1217616
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2023-11-28 20:36:24 UTC 
A use-after free issue was reported in libavif (bundled in Chromium). CVE-2023-6351 was assigned to this issue.

Apparent fix: https://github.com/AOMediaCodec/libavif/commit/456f78a3b2d3eacb8ca4193b79129b23785e41e9

SUSE:SLE-15-SP4:Update/libavif has 0.9.3
Chromium builds with the bundled libavif and needs a fix.

References:
https://crbug.com/1501770
https://github.com/AOMediaCodec/libavif/pull/1757
https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html
https://github.com/AOMediaCodec/libavif/releases/tag/v1.0.2
Comment 1 Andreas Stieger 2023-11-28 20:50:03 UTC 
libavif bump: https://build.opensuse.org/request/show/1129665
Comment 2 Andreas Stieger 2023-11-29 07:24:05 UTC 
Submitted to Factory. SUSE:SLE-15-SP4:Update/libavif has 0.9.3, security team can you evaluate and find the SLE bugowner?
Comment 3 OBSbugzilla Bot 2023-11-29 08:15:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1217615) was mentioned in
https://build.opensuse.org/request/show/1129722 Factory / chromium
https://build.opensuse.org/request/show/1129724 Backports:SLE-15-SP4+Backports:SLE-15-SP5 / chromium
Comment 6 OBSbugzilla Bot 2023-11-30 10:15:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1217615) was mentioned in
https://build.opensuse.org/request/show/1129955 Factory / ungoogled-chromium
Comment 7 Marcus Meissner 2023-11-30 17:05:05 UTC 
openSUSE-SU-2023:0387-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1217614,1217615,1217616
CVE References: CVE-2023-6345,CVE-2023-6346,CVE-2023-6347,CVE-2023-6348,CVE-2023-6350,CVE-2023-6351
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    chromium-119.0.6045.199-bp155.2.61.1
openSUSE Backports SLE-15-SP4 (src):    chromium-119.0.6045.199-bp154.2.147.1
Comment 9 Andreas Stieger 2023-12-21 08:20:54 UTC 
SUSE:SLE-15-SP4:Update/libavif has 0.9.3:
security team: evaluate and find the SLE bugowner
Comment 10 Andreas Stieger 2023-12-21 09:20:18 UTC 
libavif has a rewrite of the fix
https://github.com/AOMediaCodec/libavif/releases/tag/v1.0.3
> Rewrite the fix for memory errors reported in crbug.com/1501770
Comment 13 Yifan Jiang 2024-03-20 10:28:15 UTC 
(In reply to Stoyan Manolov from comment #11)
> Hi, can you help with a submission for SLE-15-SP4?

Hi Stoyan, to confirm I didn't miss anything: I saw SLE-15-SP4 and ALP were not affected by this CVE, and Factory has got it updated to 1.0.4 including the necessary fixes, so I think we can wrap this up right here. Do you agree?