Security update for libwebp

Announcement ID:	SUSE-SU-2021:1860-1
Rating:	critical
References:	bsc#1185652 bsc#1185654 bsc#1185673 bsc#1185674 bsc#1185685 bsc#1185686 bsc#1185688 bsc#1185690 bsc#1185691 bsc#1186247
Cross-References:	CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332
CVSS scores:	CVE-2018-25009 ( SUSE ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25009 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25010 ( SUSE ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25010 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25011 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-25011 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-25012 ( SUSE ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25012 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25013 ( SUSE ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25013 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2020-36328 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-36328 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-36329 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2020-36329 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-36330 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36330 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2020-36331 ( SUSE ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2020-36331 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2020-36332 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36332 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE CaaS Platform 4.0 SUSE Enterprise Storage 6 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise High Performance Computing 15 LTSS 15 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise High Performance Computing 15 SP1 ESPOS 15-SP1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server 15 LTSS 15 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server ESPOS 15 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Workstation Extension 15 SP2 SUSE Linux Enterprise Workstation Extension 15 SP3 SUSE Manager Proxy 4.0 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.0 SUSE Manager Retail Branch Server 4.1 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.0 SUSE Manager Server 4.1 SUSE Manager Server 4.2 SUSE Package Hub 15 15-SP2 SUSE Package Hub 15 15-SP3

An update that solves 10 vulnerabilities can now be installed.

Description:

This update for libwebp fixes the following issues:

• CVE-2018-25010: Fixed heap-based buffer overflow in ApplyFilter() (bsc#1185685).
• CVE-2020-36330: Fixed heap-based buffer overflow in ChunkVerifyAndAssign() (bsc#1185691).
• CVE-2020-36332: Fixed extreme memory allocation when reading a file (bsc#1185674).
• CVE-2020-36329: Fixed use-after-free in EmitFancyRGB() (bsc#1185652).
• CVE-2018-25012: Fixed heap-based buffer overflow in GetLE24() (bsc#1185690).
• CVE-2020-36328: Fixed heap-based buffer overflow in WebPDecode*Into functions (bsc#1185688).
• CVE-2018-25013: Fixed heap-based buffer overflow in ShiftBytes() (bsc#1185654).
• CVE-2020-36331: Fixed heap-based buffer overflow in ChunkAssignData() (bsc#1185686).
• CVE-2018-25009: Fixed heap-based buffer overflow in GetLE16() (bsc#1185673).
• CVE-2018-25011: Fixed fail on multiple image chunks (bsc#1186247).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Package Hub 15 15-SP2
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-1860=1
• SUSE Package Hub 15 15-SP3
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-1860=1
• SUSE Linux Enterprise Server ESPOS 15
  zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1860=1
• SUSE Linux Enterprise High Performance Computing 15 LTSS 15
  zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1860=1
• SUSE Linux Enterprise High Performance Computing 15 SP1 ESPOS 15-SP1
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1860=1
• SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1860=1
• SUSE Linux Enterprise Server 15 LTSS 15
  zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1860=1
• SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1860=1
• SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1860=1
• SUSE Linux Enterprise Server for SAP Applications 15
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1860=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP1
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1860=1
• SUSE Manager Proxy 4.0
  zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1860=1
• SUSE Manager Retail Branch Server 4.0
  zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1860=1
• SUSE Manager Server 4.0
  zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1860=1
• SUSE Linux Enterprise Workstation Extension 15 SP2
  zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-1860=1
• SUSE Linux Enterprise Workstation Extension 15 SP3
  zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-1860=1
• SUSE Enterprise Storage 6
  zypper in -t patch SUSE-Storage-6-2021-1860=1
• SUSE CaaS Platform 4.0
  To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.

Package List:

• SUSE Package Hub 15 15-SP2 (x86_64)
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebp6-32bit-debuginfo-0.5.0-3.5.1
  • libwebp6-32bit-0.5.0-3.5.1
• SUSE Package Hub 15 15-SP3 (x86_64)
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebp6-32bit-debuginfo-0.5.0-3.5.1
  • libwebp6-32bit-0.5.0-3.5.1
• SUSE Linux Enterprise Server ESPOS 15 (aarch64 x86_64)
  • libwebpdemux2-debuginfo-0.5.0-3.5.1
  • libwebp-devel-0.5.0-3.5.1
  • libwebpextras0-0.5.0-3.5.1
  • libwebpdecoder2-debuginfo-0.5.0-3.5.1
  • libwebpmux2-debuginfo-0.5.0-3.5.1
  • libwebp6-debuginfo-0.5.0-3.5.1
  • libwebpmux2-0.5.0-3.5.1
  • libwebp6-0.5.0-3.5.1
  • libwebpdecoder2-0.5.0-3.5.1
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebpextras0-debuginfo-0.5.0-3.5.1
  • libwebpdemux2-0.5.0-3.5.1
• SUSE Linux Enterprise High Performance Computing 15 LTSS 15 (aarch64 x86_64)
  • libwebpdemux2-debuginfo-0.5.0-3.5.1
  • libwebp-devel-0.5.0-3.5.1
  • libwebpextras0-0.5.0-3.5.1
  • libwebpdecoder2-debuginfo-0.5.0-3.5.1
  • libwebpmux2-debuginfo-0.5.0-3.5.1
  • libwebp6-debuginfo-0.5.0-3.5.1
  • libwebpmux2-0.5.0-3.5.1
  • libwebp6-0.5.0-3.5.1
  • libwebpdecoder2-0.5.0-3.5.1
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebpextras0-debuginfo-0.5.0-3.5.1
  • libwebpdemux2-0.5.0-3.5.1
• SUSE Linux Enterprise High Performance Computing 15 SP1 ESPOS 15-SP1 (aarch64 x86_64)
  • libwebpdemux2-debuginfo-0.5.0-3.5.1
  • libwebp-devel-0.5.0-3.5.1
  • libwebpextras0-0.5.0-3.5.1
  • libwebpdecoder2-debuginfo-0.5.0-3.5.1
  • libwebpmux2-debuginfo-0.5.0-3.5.1
  • libwebp6-debuginfo-0.5.0-3.5.1
  • libwebpmux2-0.5.0-3.5.1
  • libwebp6-0.5.0-3.5.1
  • libwebpdecoder2-0.5.0-3.5.1
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebpextras0-debuginfo-0.5.0-3.5.1
  • libwebpdemux2-0.5.0-3.5.1
• SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (aarch64 x86_64)
  • libwebpdemux2-debuginfo-0.5.0-3.5.1
  • libwebp-devel-0.5.0-3.5.1
  • libwebpextras0-0.5.0-3.5.1
  • libwebpdecoder2-debuginfo-0.5.0-3.5.1
  • libwebpmux2-debuginfo-0.5.0-3.5.1
  • libwebp6-debuginfo-0.5.0-3.5.1
  • libwebpmux2-0.5.0-3.5.1
  • libwebp6-0.5.0-3.5.1
  • libwebpdecoder2-0.5.0-3.5.1
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebpextras0-debuginfo-0.5.0-3.5.1
  • libwebpdemux2-0.5.0-3.5.1
• SUSE Linux Enterprise Server 15 LTSS 15 (aarch64 ppc64le s390x x86_64)
  • libwebpdemux2-debuginfo-0.5.0-3.5.1
  • libwebp-devel-0.5.0-3.5.1
  • libwebpextras0-0.5.0-3.5.1
  • libwebpdecoder2-debuginfo-0.5.0-3.5.1
  • libwebpmux2-debuginfo-0.5.0-3.5.1
  • libwebp6-debuginfo-0.5.0-3.5.1
  • libwebpmux2-0.5.0-3.5.1
  • libwebp6-0.5.0-3.5.1
  • libwebpdecoder2-0.5.0-3.5.1
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebpextras0-debuginfo-0.5.0-3.5.1
  • libwebpdemux2-0.5.0-3.5.1
• SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 (x86_64)
  • libwebpdemux2-debuginfo-0.5.0-3.5.1
  • libwebp-devel-0.5.0-3.5.1
  • libwebpextras0-0.5.0-3.5.1
  • libwebpdecoder2-debuginfo-0.5.0-3.5.1
  • libwebpmux2-debuginfo-0.5.0-3.5.1
  • libwebp6-debuginfo-0.5.0-3.5.1
  • libwebpmux2-0.5.0-3.5.1
  • libwebp6-0.5.0-3.5.1
  • libwebpdecoder2-0.5.0-3.5.1
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebpextras0-debuginfo-0.5.0-3.5.1
  • libwebpdemux2-0.5.0-3.5.1
• SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (aarch64 ppc64le s390x x86_64)
  • libwebpdemux2-debuginfo-0.5.0-3.5.1
  • libwebp-devel-0.5.0-3.5.1
  • libwebpextras0-0.5.0-3.5.1
  • libwebpdecoder2-debuginfo-0.5.0-3.5.1
  • libwebpmux2-debuginfo-0.5.0-3.5.1
  • libwebp6-debuginfo-0.5.0-3.5.1
  • libwebpmux2-0.5.0-3.5.1
  • libwebp6-0.5.0-3.5.1
  • libwebpdecoder2-0.5.0-3.5.1
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebpextras0-debuginfo-0.5.0-3.5.1
  • libwebpdemux2-0.5.0-3.5.1
• SUSE Linux Enterprise Server for SAP Applications 15 (ppc64le x86_64)
  • libwebpdemux2-debuginfo-0.5.0-3.5.1
  • libwebp-devel-0.5.0-3.5.1
  • libwebpextras0-0.5.0-3.5.1
  • libwebpdecoder2-debuginfo-0.5.0-3.5.1
  • libwebpmux2-debuginfo-0.5.0-3.5.1
  • libwebp6-debuginfo-0.5.0-3.5.1
  • libwebpmux2-0.5.0-3.5.1
  • libwebp6-0.5.0-3.5.1
  • libwebpdecoder2-0.5.0-3.5.1
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebpextras0-debuginfo-0.5.0-3.5.1
  • libwebpdemux2-0.5.0-3.5.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP1 (ppc64le x86_64)
  • libwebpdemux2-debuginfo-0.5.0-3.5.1
  • libwebp-devel-0.5.0-3.5.1
  • libwebpextras0-0.5.0-3.5.1
  • libwebpdecoder2-debuginfo-0.5.0-3.5.1
  • libwebpmux2-debuginfo-0.5.0-3.5.1
  • libwebp6-debuginfo-0.5.0-3.5.1
  • libwebpmux2-0.5.0-3.5.1
  • libwebp6-0.5.0-3.5.1
  • libwebpdecoder2-0.5.0-3.5.1
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebpextras0-debuginfo-0.5.0-3.5.1
  • libwebpdemux2-0.5.0-3.5.1
• SUSE Manager Proxy 4.0 (x86_64)
  • libwebpdemux2-debuginfo-0.5.0-3.5.1
  • libwebp-devel-0.5.0-3.5.1
  • libwebpextras0-0.5.0-3.5.1
  • libwebpdecoder2-debuginfo-0.5.0-3.5.1
  • libwebpmux2-debuginfo-0.5.0-3.5.1
  • libwebp6-debuginfo-0.5.0-3.5.1
  • libwebpmux2-0.5.0-3.5.1
  • libwebp6-0.5.0-3.5.1
  • libwebpdecoder2-0.5.0-3.5.1
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebpextras0-debuginfo-0.5.0-3.5.1
  • libwebpdemux2-0.5.0-3.5.1
• SUSE Manager Retail Branch Server 4.0 (x86_64)
  • libwebpdemux2-debuginfo-0.5.0-3.5.1
  • libwebp-devel-0.5.0-3.5.1
  • libwebpextras0-0.5.0-3.5.1
  • libwebpdecoder2-debuginfo-0.5.0-3.5.1
  • libwebpmux2-debuginfo-0.5.0-3.5.1
  • libwebp6-debuginfo-0.5.0-3.5.1
  • libwebpmux2-0.5.0-3.5.1
  • libwebp6-0.5.0-3.5.1
  • libwebpdecoder2-0.5.0-3.5.1
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebpextras0-debuginfo-0.5.0-3.5.1
  • libwebpdemux2-0.5.0-3.5.1
• SUSE Manager Server 4.0 (ppc64le s390x x86_64)
  • libwebpdemux2-debuginfo-0.5.0-3.5.1
  • libwebp-devel-0.5.0-3.5.1
  • libwebpextras0-0.5.0-3.5.1
  • libwebpdecoder2-debuginfo-0.5.0-3.5.1
  • libwebpmux2-debuginfo-0.5.0-3.5.1
  • libwebp6-debuginfo-0.5.0-3.5.1
  • libwebpmux2-0.5.0-3.5.1
  • libwebp6-0.5.0-3.5.1
  • libwebpdecoder2-0.5.0-3.5.1
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebpextras0-debuginfo-0.5.0-3.5.1
  • libwebpdemux2-0.5.0-3.5.1
• SUSE Linux Enterprise Workstation Extension 15 SP2 (x86_64)
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebp6-debuginfo-0.5.0-3.5.1
  • libwebp6-0.5.0-3.5.1
• SUSE Linux Enterprise Workstation Extension 15 SP3 (x86_64)
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebp6-debuginfo-0.5.0-3.5.1
  • libwebp6-0.5.0-3.5.1
• SUSE Enterprise Storage 6 (aarch64 x86_64)
  • libwebpdemux2-debuginfo-0.5.0-3.5.1
  • libwebp-devel-0.5.0-3.5.1
  • libwebpextras0-0.5.0-3.5.1
  • libwebpdecoder2-debuginfo-0.5.0-3.5.1
  • libwebpmux2-debuginfo-0.5.0-3.5.1
  • libwebp6-debuginfo-0.5.0-3.5.1
  • libwebpmux2-0.5.0-3.5.1
  • libwebp6-0.5.0-3.5.1
  • libwebpdecoder2-0.5.0-3.5.1
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebpextras0-debuginfo-0.5.0-3.5.1
  • libwebpdemux2-0.5.0-3.5.1
• SUSE CaaS Platform 4.0 (x86_64)
  • libwebpdemux2-debuginfo-0.5.0-3.5.1
  • libwebp-devel-0.5.0-3.5.1
  • libwebpextras0-0.5.0-3.5.1
  • libwebpdecoder2-debuginfo-0.5.0-3.5.1
  • libwebpmux2-debuginfo-0.5.0-3.5.1
  • libwebp6-debuginfo-0.5.0-3.5.1
  • libwebpmux2-0.5.0-3.5.1
  • libwebp6-0.5.0-3.5.1
  • libwebpdecoder2-0.5.0-3.5.1
  • libwebp-debugsource-0.5.0-3.5.1
  • libwebpextras0-debuginfo-0.5.0-3.5.1
  • libwebpdemux2-0.5.0-3.5.1

References:

• https://www.suse.com/security/cve/CVE-2018-25009.html
• https://www.suse.com/security/cve/CVE-2018-25010.html
• https://www.suse.com/security/cve/CVE-2018-25011.html
• https://www.suse.com/security/cve/CVE-2018-25012.html
• https://www.suse.com/security/cve/CVE-2018-25013.html
• https://www.suse.com/security/cve/CVE-2020-36328.html
• https://www.suse.com/security/cve/CVE-2020-36329.html
• https://www.suse.com/security/cve/CVE-2020-36330.html
• https://www.suse.com/security/cve/CVE-2020-36331.html
• https://www.suse.com/security/cve/CVE-2020-36332.html
• https://bugzilla.suse.com/show_bug.cgi?id=1185652
• https://bugzilla.suse.com/show_bug.cgi?id=1185654
• https://bugzilla.suse.com/show_bug.cgi?id=1185673
• https://bugzilla.suse.com/show_bug.cgi?id=1185674
• https://bugzilla.suse.com/show_bug.cgi?id=1185685
• https://bugzilla.suse.com/show_bug.cgi?id=1185686
• https://bugzilla.suse.com/show_bug.cgi?id=1185688
• https://bugzilla.suse.com/show_bug.cgi?id=1185690
• https://bugzilla.suse.com/show_bug.cgi?id=1185691
• https://bugzilla.suse.com/show_bug.cgi?id=1186247