Bug 1217615 (CVE-2023-6351) - VUL-0: CVE-2023-6351: libavif,chromium,ungoogled-chromium,nodejs-electron: use-after-free in colorProperties
Summary: VUL-0: CVE-2023-6351: libavif,chromium,ungoogled-chromium,nodejs-electron: us...
Status: NEW
Alias: CVE-2023-6351
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.5
Hardware: Other Other
: P3 - Medium : Major (vote)
Target Milestone: ---
Assignee: Yifan Jiang
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-28 20:36 UTC by Andreas Stieger
Modified: 2024-03-20 10:28 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
yfjiang: needinfo? (stoyan.manolov)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2023-11-28 20:36:24 UTC 
A use-after free issue was reported in libavif (bundled in Chromium). CVE-2023-6351 was assigned to this issue.

Apparent fix: https://github.com/AOMediaCodec/libavif/commit/456f78a3b2d3eacb8ca4193b79129b23785e41e9

SUSE:SLE-15-SP4:Update/libavif has 0.9.3
Chromium builds with the bundled libavif and needs a fix.

References:
https://crbug.com/1501770
https://github.com/AOMediaCodec/libavif/pull/1757
https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html
https://github.com/AOMediaCodec/libavif/releases/tag/v1.0.2
Comment 1 Andreas Stieger 2023-11-28 20:50:03 UTC 
libavif bump: https://build.opensuse.org/request/show/1129665
Comment 2 Andreas Stieger 2023-11-29 07:24:05 UTC 
Submitted to Factory. SUSE:SLE-15-SP4:Update/libavif has 0.9.3, security team can you evaluate and find the SLE bugowner?
Comment 3 OBSbugzilla Bot 2023-11-29 08:15:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1217615) was mentioned in
https://build.opensuse.org/request/show/1129722 Factory / chromium
https://build.opensuse.org/request/show/1129724 Backports:SLE-15-SP4+Backports:SLE-15-SP5 / chromium
Comment 6 OBSbugzilla Bot 2023-11-30 10:15:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1217615) was mentioned in
https://build.opensuse.org/request/show/1129955 Factory / ungoogled-chromium
Comment 7 Marcus Meissner 2023-11-30 17:05:05 UTC 
openSUSE-SU-2023:0387-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1217614,1217615,1217616
CVE References: CVE-2023-6345,CVE-2023-6346,CVE-2023-6347,CVE-2023-6348,CVE-2023-6350,CVE-2023-6351
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    chromium-119.0.6045.199-bp155.2.61.1
openSUSE Backports SLE-15-SP4 (src):    chromium-119.0.6045.199-bp154.2.147.1
Comment 9 Andreas Stieger 2023-12-21 08:20:54 UTC 
SUSE:SLE-15-SP4:Update/libavif has 0.9.3:
security team: evaluate and find the SLE bugowner
Comment 10 Andreas Stieger 2023-12-21 09:20:18 UTC 
libavif has a rewrite of the fix
https://github.com/AOMediaCodec/libavif/releases/tag/v1.0.3
> Rewrite the fix for memory errors reported in crbug.com/1501770
Comment 13 Yifan Jiang 2024-03-20 10:28:15 UTC 
(In reply to Stoyan Manolov from comment #11)
> Hi, can you help with a submission for SLE-15-SP4?

Hi Stoyan, to confirm I didn't miss anything: I saw SLE-15-SP4 and ALP were not affected by this CVE, and Factory has got it updated to 1.0.4 including the necessary fixes, so I think we can wrap this up right here. Do you agree?