WebP: User-assisted execution of arbitrary code — GLSA 201312-08

An integer overflow vulnerability in WebP could lead to arbitrary code execution or Denial of Service.

Affected packages

media-libs/libwebp on all architectures
Affected versions < 0.2.1
Unaffected versions >= 0.2.1

Background

WebP is a lossy image compression format.

Description

An integer overflow flaw has been found in WebP.

Impact

A remote attacker could entice a user to open a specially crafted image in an application linked against WebP, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All WebP users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-libs/libwebp-0.2.1"
 

References

Release date
December 10, 2013

Latest revision
December 10, 2013: 1

Severity
normal

Exploitable
remote

Bugzilla entries