CVE-2018-25010

Vulnerability

The vulnerability is a heap-based buffer overflow in the ApplyFilter() function in src/utils/quant_levels_dec_utils.c of libwebp, a library for encoding and decoding WebP images. The bug was introduced before version 1.0.1 and allows an out-of-bounds read when processing a crafted lossless WebP image with specific filter parameters. The issue is triggered when the filtering radius exceeds the image dimensions, causing an out-of-bounds access on the heap [1][2].

Exploitation

An attacker would need to craft a malicious lossless WebP image that sets the alpha filtering radius to a value larger than the image width or height. When a user or application using libwebp decodes this image, the ApplyFilter() function is called with the oversized radius, leading to a heap out-of-bounds read. The fix limits the radius to the minimum of the image width and height to prevent the condition [2].

Impact

Successful exploitation could lead to an out-of-bounds read of heap memory, potentially resulting in information disclosure. The vulnerability has a CVSS score of 5.5 (medium severity) and could be used to leak sensitive data or cause a crash (denial of service) [1]. No remote code execution has been demonstrated for this specific issue.

Mitigation

The vulnerability is fixed in libwebp version 1.0.1, which was released on 2018-06-29. Users should update libwebp to version 1.0.1 or later. The fix was committed in commit 1344a2e947c749d231141a295327e5b99b444d63. Distributions such as Red Hat have issued advisories and updated packages [1][2].