Assigning this globally because there is no one packager in evidence for libwebp.

Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (CVE-2023-4863)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863
========================

Updated packages in 9/core/updates_testing:
========================
lib(64)sharpyuv0-1.3.0-2.1.mga9
lib(64)webp7-1.3.0-2.1.mga9
lib(64)webpdecoder3-1.3.0-2.1.mga9
lib(64)webpdemux2-1.3.0-2.1.mga9
lib(64)webpmux3-1.3.0-2.1.mga9
lib(64)webp-devel-1.3.0-2.1.mga9
libwebp-tools-1.3.0-2.1.mga9

from SRPM:
libwebp-1.3.0-2.1.mga9.src.rpm

Updated packages in 8/core/updates_testing:
========================
lib(64)webp7-1.1.0-2.2.mga8
lib(64)webpdecoder3-1.1.0-2.2.mga8
lib(64)webpdemux2-1.1.0-2.2.mga8
lib(64)webpmux3-1.1.0-2.2.mga8
lib(64)webp-devel-1.1.0-2.2.mga8
libwebp-tools-1.1.0-2.2.mga8

from SRPM:
libwebp-1.1.0-2.2.mga8.src.rpm

Assignee: pkg-bugs => nicolas.salguero
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Status: NEW => ASSIGNED
Version: Cauldron => 9

MGA8-64 Xfce on Acer Aspire 5253
No innstallation issues.
Ref bug 31783 for testing
Firefox continues to work OK, looked for other test, and found https://developers.google.com/speed/webp/docs/img2webp
trying with some jpg files.
$ img2webp shelt0001.jpeg shelt0002.jpeg shelt0003.jpeg -o testwebp.webp
Frame #1 dimension mismatched! Got 2104 x 3183. Was expecting 3152 x 2158.
Above documentation does not show any light on this problem
Ommitting the first jpg:
$ img2webp shelt0002.jpeg shelt0003.jpeg -o testwebp.webp
Frame #1 dimension mismatched! Got 3152 x 2131. Was expecting 2104 x 3183.
Beats me !!!!!

CC: (none) => herman.viaene

I tested this in MGA9 as best I could.  

approving this

CC: (none) => brtians1
Whiteboard: MGA8TOO => MGA8TOO MGA9-64-OK

MGA9-64 Xfce on Acer Aspire 5253
No innstallation issues.
Got exactly te same results as in Comment 3. I don't know what to think of it, specially since I cann't find any restriction on the file sizes while googling.

Advisory uploaded.

I assume the script to push updates only works when someone from QA has validated the update, because sometimes sysadmin-bugs is already in the CC list when a bug report for an update is created.

@ NS80

Can you please look at Herman's comments?

CC: (none) => marja11, sysadmin-bugs
Keywords: (none) => advisory

My understanding is that it selects advisories from svn where the bug is
assigned to qa and the validated keyword is present.

CC: (none) => davidwhodgins

(In reply to Dave Hodgins from comment #7)
> My understanding is that it selects advisories from svn where the bug is
> assigned to qa and the validated keyword is present.

Thanks :-)

(In reply to Herman Viaene from comment #5)
> MGA9-64 Xfce on Acer Aspire 5253
> No innstallation issues.
> Got exactly te same results as in Comment 3. I don't know what to think of
> it, specially since I cann't find any restriction on the file sizes while
> googling.

I tried with some jpeg I have and did not see the message.

I think that update need to be urgently pushed since the security issue affects chromium, libreoffice...

Best regards,

Nico.

Approving by the OKs
Dont know how to test this myself and it is not a core system package

CC: (none) => fri
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0282.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED