Bug 1218303 (CVE-2023-6704)

Summary: VUL-0: CVE-2023-6704: libavif,chromium,ungoogled-chromium,nodejs-electron: use after free in libavif
Product: [openSUSE] openSUSE Distribution Reporter: Andreas Stieger <Andreas.Stieger>
Component: SecurityAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P3 - Medium CC: andrea.mattiazzo, Andreas.Stieger, brunopitrus, gianluca.gabrielli, gmbr3, gnome-bugs, meissner, security-team, yfjiang
Version: Leap 15.5   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv3.1:SUSE:CVE-2023-6704:8.8:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2023-12-21 09:26:56 UTC 
It was reported that libavif before 1.0.3, and as bundled in Chromium, contained a use-after-free bug. colorProperties could be pointing to a dangling pointer if
findAlphaItem() resizes the meta.items array.


Also bundled in chromium, see bug 1218048

References:
https://github.com/AOMediaCodec/libavif/pull/1808
https://github.com/AOMediaCodec/libavif/commit/b984f48be99b41405cb4a7d443806e01b46936fb
https://github.com/AOMediaCodec/libavif/releases/tag/v1.0.3
https://bugs.chromium.org/p/chromium/issues/detail?id=1504792
Comment 1 Andreas Stieger 2023-12-21 09:29:17 UTC 
Security team, please locate the SLE bugowner of SUSE:SLE-15-SP4:Update/libavif 0.9.3
Comment 2 Marcus Meissner 2023-12-21 12:47:18 UTC 
libavif is for gnome bugs
Comment 3 OBSbugzilla Bot 2024-01-12 15:35:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1218303) was mentioned in
https://build.opensuse.org/request/show/1138331 Factory / chromium
Comment 4 OBSbugzilla Bot 2024-01-12 21:35:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1218303) was mentioned in
https://build.opensuse.org/request/show/1138394 Factory / chromium
Comment 5 OBSbugzilla Bot 2024-01-13 15:35:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1218303) was mentioned in
https://build.opensuse.org/request/show/1138475 Factory / chromium
Comment 6 OBSbugzilla Bot 2024-01-14 09:45:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1218303) was mentioned in
https://build.opensuse.org/request/show/1138548 Backports:SLE-15-SP5 / chromium
Comment 7 OBSbugzilla Bot 2024-01-14 11:35:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1218303) was mentioned in
https://build.opensuse.org/request/show/1138553 Factory / ungoogled-chromium
Comment 8 OBSbugzilla Bot 2024-01-14 13:45:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1218303) was mentioned in
https://build.opensuse.org/request/show/1138570 Backports:SLE-15-SP5 / chromium
Comment 9 OBSbugzilla Bot 2024-01-14 15:35:08 UTC 
This is an autogenerated message for OBS integration:
This bug (1218303) was mentioned in
https://build.opensuse.org/request/show/1138578 Factory / ungoogled-chromium
Comment 10 Marcus Meissner 2024-01-16 11:05:08 UTC 
openSUSE-SU-2024:0020-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1217839,1218048,1218302,1218303,1218533,1218719
CVE References: CVE-2023-6508,CVE-2023-6509,CVE-2023-6510,CVE-2023-6511,CVE-2023-6512,CVE-2023-6702,CVE-2023-6703,CVE-2023-6704,CVE-2023-6705,CVE-2023-6706,CVE-2023-6707,CVE-2023-7024,CVE-2024-0222,CVE-2024-0223,CVE-2024-0224,CVE-2024-0225,CVE-2024-0333
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    chromium-120.0.6099.216-bp155.2.64.1
Comment 15 Maintenance Automation 2024-02-08 12:30:16 UTC 
SUSE-SU-2024:0423-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1218303
CVE References: CVE-2023-6704
Sources used:
openSUSE Leap 15.4 (src): libavif-0.9.3-150400.3.3.1
openSUSE Leap 15.5 (src): libavif-0.9.3-150400.3.3.1
Basesystem Module 15-SP5 (src): libavif-0.9.3-150400.3.3.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): libavif-0.9.3-150400.3.3.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): libavif-0.9.3-150400.3.3.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): libavif-0.9.3-150400.3.3.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): libavif-0.9.3-150400.3.3.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): libavif-0.9.3-150400.3.3.1
SUSE Manager Proxy 4.3 (src): libavif-0.9.3-150400.3.3.1
SUSE Manager Retail Branch Server 4.3 (src): libavif-0.9.3-150400.3.3.1
SUSE Manager Server 4.3 (src): libavif-0.9.3-150400.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.