CVE-2023-5217
Publication date 29 September 2023
Last updated 21 August 2024
Ubuntu priority
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Read the notes from the security team
Why is this CVE high priority?
Listed in CISA Known Exploited Vulnerabilities Catalog
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| chromium-browser | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic | Ignored end of standard support | |
| 16.04 LTS xenial | Ignored end of standard support | |
| 14.04 LTS trusty | Ignored end of standard support | |
| firefox | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Fixed 118.0.1+build1-0ubuntu0.20.04.1
|
|
| 18.04 LTS bionic | Ignored end of standard support | |
| 16.04 LTS xenial | Ignored end of standard support | |
| 14.04 LTS trusty | Ignored end of standard support | |
| libvpx | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Fixed 1.11.0-2ubuntu2.2
|
|
| 20.04 LTS focal |
Fixed 1.8.2-1ubuntu0.2
|
|
| 18.04 LTS bionic |
Fixed 1.7.0-3ubuntu0.18.04.1+esm1
|
|
| 16.04 LTS xenial |
Fixed 1.5.0-2ubuntu1.1+esm2
|
|
| 14.04 LTS trusty |
Needs evaluation
|
|
| mozjs102 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Ignored | |
| 22.04 LTS jammy | Ignored | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| mozjs38 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Ignored | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| mozjs52 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Ignored | |
| 18.04 LTS bionic | Ignored | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| mozjs68 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Ignored | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| mozjs78 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Ignored | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| mozjs91 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Ignored | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| thunderbird | 24.10 oracular |
Fixed 1:115.3.1+build1-0ubuntu1
|
| 24.04 LTS noble |
Fixed 1:115.3.1+build1-0ubuntu1
|
|
| 22.04 LTS jammy |
Fixed 1:115.3.1+build1-0ubuntu0.22.04.2
|
|
| 20.04 LTS focal |
Fixed 1:115.3.1+build1-0ubuntu0.20.04.1
|
|
| 18.04 LTS bionic | Ignored end of standard support | |
| 16.04 LTS xenial | Ignored end of standard support | |
| 14.04 LTS trusty | Ignored end of standard support |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
alexmurray
The Debian chromium source package is called chromium-browser in Ubuntu
mdeslaur
starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap
tyhicks
mozjs contains a copy of the SpiderMonkey JavaScript engine
mdeslaur
starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.8 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-6403-1
- libvpx vulnerabilities
- 2 October 2023
- USN-6404-1
- Firefox vulnerabilities
- 3 October 2023
- USN-6405-1
- Thunderbird vulnerabilities
- 3 October 2023
- USN-6403-2
- libvpx vulnerabilities
- 23 October 2023
- USN-6403-3
- libvpx vulnerabilities
- 1 November 2023
Other references
- https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/#CVE-2023-5217
- https://www.openwall.com/lists/oss-security/2023/09/28/5
- https://hg.mozilla.org/mozilla-central/rev/c53f5ef77b62b79af86951a7f9130e1896b695d2
- https://crbug.com/1486441
- https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html
- http://www.openwall.com/lists/oss-security/2023/09/28/5
- http://www.openwall.com/lists/oss-security/2023/09/28/6
- https://www.cve.org/CVERecord?id=CVE-2023-5217
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog