FS#79681 - [libwebp] Follow-up patch for CVE-2023-4863

Attached to Project: Arch Linux
Opened by Viktor Jägersküpper (viktorjk) - Wednesday, 13 September 2023, 18:42 GMT
Last edited by Toolybird (Toolybird) - Friday, 06 October 2023, 20:12 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Jan Alexander Steffens (heftig)
kpcyrd (kpcyrd)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

The Debian Security Tracker for CVE-2023-4863 [1] lists a follow-up patch for libwebp, see [2].

Even though I don't understand the technical side, this seems to be a security patch,
so you might consider picking it up.

[1] https://security-tracker.debian.org/tracker/CVE-2023-4863
[2] https://chromium.googlesource.com/webm/libwebp.git/+/95ea5226c870449522240ccff26f0b006037c520%5E%21/#F0
This task depends upon

Closed by  Toolybird (Toolybird)
Friday, 06 October 2023, 20:12 GMT
Reason for closing:  Won't fix
Additional comments about closing:  @reporter says "No security impact according to upstream (Google) and Mozilla.". Refer also to PM's comments which agrees with above.
Comment by Jan Alexander Steffens (heftig) - Wednesday, 13 September 2023, 22:53 GMT
Not sure. It wasn't cherry-picked into Firefox, Chromium, or libwebp's own branches yet.
Comment by Jared Sutton (jpsutton) - Thursday, 14 September 2023, 02:39 GMT
libwebp 1.3.2 was tagged less than an hour ago, including the following in the desc: "Fix OOB write in BuildHuffmanTable", which is a reference to CVE-2023-4863.
Comment by Jared Sutton (jpsutton) - Thursday, 14 September 2023, 02:41 GMT
BTW, this is a zero-day bug that affects a ton of applications (especially because electron inherits the vuln too), so I would think raising the severity would be justified.
Comment by Toolybird (Toolybird) - Thursday, 14 September 2023, 02:56 GMT
The vuln is already fixed. This ticket is about a *follow-up* patch which is *not* tagged in 1.3.2
Comment by Chih-Hsuan Yen (yan12125) - Sunday, 01 October 2023, 05:36 GMT
Apparently the patch is part of upstream version 1.3.2 [1], and Arch package is updated. This issue can be closed?

[1] https://chromium.googlesource.com/webm/libwebp.git/+log
Comment by loqs (loqs) - Monday, 02 October 2023, 23:24 GMT
> Apparently the patch is part of upstream version 1.3.2 [1], and Arch package is updated. This issue can be closed?
>
> [1] https://chromium.googlesource.com/webm/libwebp.git/+log

Sadly that listing is misleading see [1] you can also examine src/dec/vp8l_dec.c from 1.3.2, see for also:

$ git remote -v
origin https://chromium.googlesource.com/webm/libwebp (fetch)
origin https://chromium.googlesource.com/webm/libwebp (push)
$ git describe
v1.3.2-86-gcdbf88ae
$ git tag --contains 95ea5226c870449522240ccff26f0b006037c520

[1] https://chromium.googlesource.com/webm/libwebp.git/+log/ca332209cb5567c9b249c86788cb2dbf8847e760
Comment by Chih-Hsuan Yen (yan12125) - Thursday, 05 October 2023, 16:57 GMT
> Not sure. It wasn't cherry-picked into Firefox, Chromium, or libwebp's own branches yet.

The follow-up fix is now part of Firefox [1]. It seems still not part of Chromium, though - the git submodule in chromium [2] points to stable 1.3.2 version of libwebp.

> Sadly that listing is misleading see [1] you can also examine src/dec/vp8l_dec.c from 1.3.2, see for also:

Thank you very much for the check, sorry for not checking it by myself. I attached a diff for PKGBUILD for the fix.

[1] https://hg.mozilla.org/mozilla-central/rev/3c159cd917bb
[2] https://github.com/chromium/chromium/tree/main/third_party/libwebp
   PKGBUILD.diff (20.2 KiB)
Comment by Jan Alexander Steffens (heftig) - Thursday, 05 October 2023, 17:07 GMT
I don't think we need the patch; see the comments on the oss-fuzz issue:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62136#c7

Loading...