#18544 closed defect (fixed)
libwebp CVE-2023-4863
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
From #18543
This critical vulnerability has been reported, but is locked and only visible by distribution security teams. Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto's Munk School
Description
Opening a malicious WebP image could lead to a heap buffer overflow in
the content process. We are aware of this issue being exploited in other
products in the wild.
References
Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1852649
Bug https://bugs.chromium.org/p/chromium/issues/detail?id=1479274
Firefox fixed this in 115.2.1, and libwebp releases have been slow (maybe 1.3.2 will be quicker, given the severity), so I propose to apply the diff from firefox and hope it does the job.
Clearly, updating to firefox-115.2.1 et.seq will only fix the browser if using the shipped libwebp, and potentially leaves other packages linked to libwebp vulnerable.
Change History (9)
comment:1 by , 8 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 8 months ago
Patched libwebp committed. Working on the advisory I searched for the CVE and found https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=531a0deb8a671b129d11e7aa4fc124ef which says
This bug's actually in libwebp. Unfortunately we're still embedding it in chromium, so we likely need to fix both chromium *and* libwebp in debian. There hasn't been a libwebp release yet, but the two relevant git commits are <https://chromium.googlesource.com/webm/libwebp.git/+/902bc9190331343b2017211debcec8d2ab87e17a%5E%21/< and what appears to be a followup fix to that, <https://chromium.googlesource.com/webm/libwebp.git/+/95ea5226c870449522240ccff26f0b006037c520%5E%21/#F0>
I can't get trac to link in that, try these: https://chromium.googlesource.com/webm/libwebp.git/+/95ea5226c870449522240ccff26f0b006037c520%5E%21/#F0 and https://chromium.googlesource.com/webm/libwebp.git/+/902bc9190331343b2017211debcec8d2ab87e17a%5E%21/
comment:3 by , 8 months ago
Rude words - firefox does not include the second commit, and I apparently fubar'd one of the rejects when manually applying the first hunk. Retesting before committing version 2 of the patch.
comment:4 by , 8 months ago
Rude words - firefox does not include the second commit, and I apparently fubar'd one of the rejects when manually applying the first hunk. Retesting before committing version 2 of the patch.
comment:5 by , 8 months ago
Improved fix committed as sha:r12.0-151-g5e3a62dffe88f3504b349d0147b4792296b5e270
comment:6 by , 8 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Security Update SA-12.0-003.
No change in the time to build the patched version, but with gcc-13.2.0 I notice the buildspace is 38 MB and the install 6 MB, so 44 MB total.