firefox-115.2.1 (Critical Security Update for shipped libwebp)

[Douglas R. Reno]

New point version.

Contains a security fix for a security vulnerability which is currently under active exploitation.

It appears to be in libwebp. However, Google has locked the bug report to anyone outside of a distribution's security team, and thus we have no context as to where the commit is that fixes this vulnerability in libwebp.

From the Mozilla security advisory:

CVE-2023-4863: Heap buffer overflow in libwebp

Reporter
    Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto's Munk School
Impact
    critical

Description

Opening a malicious WebP image could lead to a heap buffer overflow in 
the content process. We are aware of this issue being exploited in other 
products in the wild.

References

    Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1852649
    Bug https://bugs.chromium.org/p/chromium/issues/detail?id=1479274

[ken@…]

Given webp's past tardiness in releasing new versions (the previous vulnerability was specified in firefox's media/libwebp/CHANGES file for a long time before the webp-1.3.1 release), I propose to patch webp with the fix extracted from firefox (assuming it builds) plus an indication in the .pc file that it has been patched.

For 115.2.0 only this item has changed, for 117.0.1 there are other fixes. For anyone using firefox-beta, 118.0b8 has now been released and includes this (but does not point to the webp commit in the libwebp/MOZCHANGES file.

[ken@…]

I've committed the system libwebp fix, so since we don't use the shipped webp this is not a security update for people who follow the book.

[ken@…]

Fixed at sha:r12.0-152-gf9f5eeb8ccf55de7ca96853c43a5e7857e89871c