Lucene search

Debian DSA-4930-1 : libwebp - security update

Debian DSA-4930-1: libwebp security update to patch multiple vulnerabilities in WebP image format implementation

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Reporter	Title	Published	Views	Family All 199
Debian	[SECURITY] [DSA 4930-1] libwebp security update	10 Jun 202121:04	–	debian
Debian	[SECURITY] [DLA 2672-1] libwebp security update	5 Jun 202117:43	–	debian
Debian	[SECURITY] [DLA 2677-1] libwebp security update	6 Jun 202118:38	–	debian
Redos	ROS-2-533	6 Jul 202300:00	–	redos
Redos	ROS-2-1374	13 Mar 202400:00	–	redos
Redos	ROS-2-1327	24 Dec 202100:00	–	redos
Redos	ROS-2-1590	24 Dec 202100:00	–	redos
Redos	ROS-2-1622	24 Dec 202100:00	–	redos
Redos	ROS-2-919	8 Sep 202100:00	–	redos
Redos	ROS-2-1742	24 Dec 202100:00	–	redos

Source	Link
security-tracker	www.security-tracker.debian.org/tracker/source-package/libwebp
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
packages	www.packages.debian.org/source/buster/libwebp
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
debian	www.debian.org/security/2021/dsa-4930
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-4930. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include("compat.inc");

if (description)
{
  script_id(150705);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/21");

  script_cve_id("CVE-2018-25009", "CVE-2018-25010", "CVE-2018-25011", "CVE-2018-25013", "CVE-2018-25014", "CVE-2020-36328", "CVE-2020-36329", "CVE-2020-36330", "CVE-2020-36331", "CVE-2020-36332");
  script_xref(name:"DSA", value:"4930");

  script_name(english:"Debian DSA-4930-1 : libwebp - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description",
    value:
"Multiple vulnerabilities were discovered in libwebp, the
implementation of the WebP image format, which could result in denial
of service, memory disclosure or potentially the execution of
arbitrary code if malformed images are processed."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/source-package/libwebp"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/buster/libwebp"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2021/dsa-4930"
  );
  script_set_attribute(
    attribute:"solution",
    value:
"Upgrade the libwebp packages.

For the stable distribution (buster), these problems have been fixed
in version 0.6.1-2+deb10u1."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-36329");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libwebp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/05/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/06/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/06/11");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"10.0", prefix:"libwebp-dev", reference:"0.6.1-2+deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"libwebp6", reference:"0.6.1-2+deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"libwebpdemux2", reference:"0.6.1-2+deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"libwebpmux3", reference:"0.6.1-2+deb10u1")) flag++;
if (deb_check(release:"10.0", prefix:"webp", reference:"0.6.1-2+deb10u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

11 Jun 2021 00:00Current

8.9High risk

Vulners AI Score8.9

CVSS27.5

CVSS39.8

EPSS0.00601