diff -Nru libwebp-0.6.1/debian/changelog libwebp-0.6.1/debian/changelog
--- libwebp-0.6.1/debian/changelog	2021-05-20 11:52:26.000000000 +0000
+++ libwebp-0.6.1/debian/changelog	2023-05-15 18:14:09.000000000 +0000
@@ -1,3 +1,12 @@
+libwebp (0.6.1-2ubuntu0.20.04.2) focal-security; urgency=medium
+
+  * SECURITY UPDATE: crash and possible code execution via double free
+    - debian/patches/CVE-2023-1999.patch: clear result->bw on error in
+      src/enc/alpha_enc.c.
+    - CVE-2023-1999
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 15 May 2023 14:14:09 -0400
+
 libwebp (0.6.1-2ubuntu0.20.04.1) focal-security; urgency=medium
 
   * SECURITY UPDATE: heap-based buffer overflow in GetLE16() and GetLE24()
diff -Nru libwebp-0.6.1/debian/patches/CVE-2023-1999.patch libwebp-0.6.1/debian/patches/CVE-2023-1999.patch
--- libwebp-0.6.1/debian/patches/CVE-2023-1999.patch	1970-01-01 00:00:00.000000000 +0000
+++ libwebp-0.6.1/debian/patches/CVE-2023-1999.patch	2023-05-15 18:14:04.000000000 +0000
@@ -0,0 +1,52 @@
+From a486d800b60d0af4cc0836bf7ed8f21e12974129 Mon Sep 17 00:00:00 2001
+From: James Zern <jzern@google.com>
+Date: Wed, 22 Feb 2023 22:15:47 -0800
+Subject: [PATCH] EncodeAlphaInternal: clear result->bw on error
+
+This avoids a double free should the function fail prior to
+VP8BitWriterInit() and a previous trial result's buffer carried over.
+Previously in ApplyFiltersAndEncode() trial.bw (with a previous
+iteration's buffer) would be freed, followed by best.bw pointing to the
+same buffer.
+
+Since:
+187d379d add a fallback to ALPHA_NO_COMPRESSION
+
+In addition, check the return value of VP8BitWriterInit() in this
+function.
+
+Bug: webp:603
+Change-Id: Ic258381ee26c8c16bc211d157c8153831c8c6910
+---
+ src/enc/alpha_enc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/enc/alpha_enc.c b/src/enc/alpha_enc.c
+index f7c02690e3..7d205586fe 100644
+--- a/src/enc/alpha_enc.c
++++ b/src/enc/alpha_enc.c
+@@ -13,6 +13,7 @@
+ 
+ #include <assert.h>
+ #include <stdlib.h>
++#include <string.h>
+ 
+ #include "src/enc/vp8i_enc.h"
+ #include "src/dsp/dsp.h"
+@@ -148,6 +149,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height,
+       }
+     } else {
+       VP8LBitWriterWipeOut(&tmp_bw);
++      memset(&result->bw, 0, sizeof(result->bw));
+       return 0;
+     }
+   }
+@@ -162,7 +164,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height,
+   header = method | (filter << 2);
+   if (reduce_levels) header |= ALPHA_PREPROCESSED_LEVELS << 4;
+ 
+-  VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size);
++  if (!VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size)) ok = 0;
+   ok = ok && VP8BitWriterAppend(&result->bw, &header, ALPHA_HEADER_LEN);
+   ok = ok && VP8BitWriterAppend(&result->bw, output, output_size);
+ 
diff -Nru libwebp-0.6.1/debian/patches/series libwebp-0.6.1/debian/patches/series
--- libwebp-0.6.1/debian/patches/series	2021-05-20 11:52:20.000000000 +0000
+++ libwebp-0.6.1/debian/patches/series	2023-05-15 18:14:04.000000000 +0000
@@ -11,3 +11,4 @@
 CVE-2020-36331.patch
 CVE-2020-36332-pre1.patch
 CVE-2020-36332.patch
+CVE-2023-1999.patch