[RHSA-2021:2354-01] Important: libwebp security update

[Security announcements for all Red Hat products and services.]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: libwebp security update
Advisory ID:       RHSA-2021:2354-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:2354
Issue date:        2021-06-08
CVE Names:         CVE-2018-25011 CVE-2020-36328 CVE-2020-36329 
=====================================================================

1. Summary:

An update for libwebp is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The libwebp packages provide a library and tools for the WebP graphics
format. WebP is an image format with a lossy compression of digital
photographic images. WebP consists of a codec based on the VP8 format, and
a container based on the Resource Interchange File Format (RIFF).
Webmasters, web developers and browser developers can use WebP to compress,
archive, and distribute digital images more efficiently.

Security Fix(es):

* libwebp: heap-based buffer overflow in PutLE16() (CVE-2018-25011)

* libwebp: heap-based buffer overflow in WebPDecode*Into functions
(CVE-2020-36328)

* libwebp: use-after-free in EmitFancyRGB() in dec/io_dec.c
(CVE-2020-36329)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1956829 - CVE-2020-36328 libwebp: heap-based buffer overflow in WebPDecode*Into functions
1956843 - CVE-2020-36329 libwebp: use-after-free in EmitFancyRGB() in dec/io_dec.c
1956919 - CVE-2018-25011 libwebp: heap-based buffer overflow in PutLE16()

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
libwebp-1.0.0-3.el8_4.src.rpm

aarch64:
libwebp-1.0.0-3.el8_4.aarch64.rpm
libwebp-debuginfo-1.0.0-3.el8_4.aarch64.rpm
libwebp-debugsource-1.0.0-3.el8_4.aarch64.rpm
libwebp-devel-1.0.0-3.el8_4.aarch64.rpm
libwebp-java-debuginfo-1.0.0-3.el8_4.aarch64.rpm
libwebp-tools-debuginfo-1.0.0-3.el8_4.aarch64.rpm

ppc64le:
libwebp-1.0.0-3.el8_4.ppc64le.rpm
libwebp-debuginfo-1.0.0-3.el8_4.ppc64le.rpm
libwebp-debugsource-1.0.0-3.el8_4.ppc64le.rpm
libwebp-devel-1.0.0-3.el8_4.ppc64le.rpm
libwebp-java-debuginfo-1.0.0-3.el8_4.ppc64le.rpm
libwebp-tools-debuginfo-1.0.0-3.el8_4.ppc64le.rpm

s390x:
libwebp-1.0.0-3.el8_4.s390x.rpm
libwebp-debuginfo-1.0.0-3.el8_4.s390x.rpm
libwebp-debugsource-1.0.0-3.el8_4.s390x.rpm
libwebp-devel-1.0.0-3.el8_4.s390x.rpm
libwebp-java-debuginfo-1.0.0-3.el8_4.s390x.rpm
libwebp-tools-debuginfo-1.0.0-3.el8_4.s390x.rpm

x86_64:
libwebp-1.0.0-3.el8_4.i686.rpm
libwebp-1.0.0-3.el8_4.x86_64.rpm
libwebp-debuginfo-1.0.0-3.el8_4.i686.rpm
libwebp-debuginfo-1.0.0-3.el8_4.x86_64.rpm
libwebp-debugsource-1.0.0-3.el8_4.i686.rpm
libwebp-debugsource-1.0.0-3.el8_4.x86_64.rpm
libwebp-devel-1.0.0-3.el8_4.i686.rpm
libwebp-devel-1.0.0-3.el8_4.x86_64.rpm
libwebp-java-debuginfo-1.0.0-3.el8_4.i686.rpm
libwebp-java-debuginfo-1.0.0-3.el8_4.x86_64.rpm
libwebp-tools-debuginfo-1.0.0-3.el8_4.i686.rpm
libwebp-tools-debuginfo-1.0.0-3.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-25011
https://access.redhat.com/security/cve/CVE-2020-36328
https://access.redhat.com/security/cve/CVE-2020-36329
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYMAK5tzjgjWX9erEAQjygRAAgmxfiLh2yX36EsWJjWnBPnILU7MgLxqH
i6rbPRYC3d6asFkYX568Q/UTT/rG/8RhJ/XlIHvFRoweybaGlnuuxZhm29TrMcjY
SQYHIVJuC2BTEZbNY2q4AtdfkMgU1nw5x4wYS0GcNPmTI9CcxGmsckolsUZXWoo8
O9z1lDDUjZxgBJzl6AfOMNkbMbBTk/K6mojdD+575fEIeuG1RJOtvyQZkX0zdVwG
NrK5G5DQqWAy15lNkRuX3S7dWSbiGqzpqItI3OZK35sNT+m1ov3Pv8AZE4tI693u
Ho9QAqrKzy++7waJv4KzOMU4LioWrLYAy5sEf8p+NQvAeGtoLyoDF0LD0FcLZZCL
WgJZFHjQX+zK8zT7hf50pa+mZPMAlP0OOD29FTgpv3Z1SZ3WjlDVeUP9JbQhcs2n
7zg4Z8urBmbiMX3rsgH5FSxBCqDIX66D6gLOqL8gxCMZPDFNKU07WnVyhMJr8o4/
2kBroqG7Gxnk8eLnVqs6xs9au/YS4/f4F1mfh1RT7p1KU+EziOOCp2wAxqsgjrgG
QsXXVyETq8F8dKGKSdaGCAXFTk0WBTK/ifqUz9at/I+WsRd5kUaqK+m0VZEY+Uk4
Wdog2PtEvezeoc6PQx8Qas8is94BocusA2j58j+yKvUmitWi9aJLTg62GCj/EORq
2t3nqg3vhBo=
=tZp4
-----END PGP SIGNATURE-----