Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update SkiaSharp to 2.88.6 to fix a critical security vulnerability #13109

Merged
merged 2 commits into from
Oct 3, 2023
Merged

Update SkiaSharp to 2.88.6 to fix a critical security vulnerability #13109

merged 2 commits into from
Oct 3, 2023

Conversation

spofdamon
Copy link
Contributor

What does the pull request do?

Updates SkiaSharp from 2.88.3 to 2.88.6 to pull in the fix for a critical security vulnerability reported on September 11th.

What is the current behavior?

tl;dr A buffer overflow in libwebp, used by Skia, allows a maliciously crafted .webp file to execute arbitrary code in the rendering process.

From the vulnerability report:

Overview

Affected versions of this package are vulnerable to Heap-based Buffer Overflow when the ReadHuffmanCodes() function is used. An attacker can craft a special WebP lossless file that triggers the ReadHuffmanCodes() function to allocate the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use. The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.

Notes:

This is only exploitable if the color_cache_bits value defines which size to use.

This vulnerability was also published on libwebp CVE-2023-5129

What is the updated/expected behavior with this PR?

The security vulnerability will be closed.

How was the solution implemented (if it's not obvious)?

Just bumped the SkiaSharp version number to the first release with the fix.

Checklist

Breaking changes

Shouldn't be any. The Skia render tests succeed on my machine.

Obsoletions / Deprecations

N/A

Fixed issues

Fixes #13105

@spofdamon
Copy link
Contributor Author

@dotnet-policy-service agree

@avaloniaui-team
Copy link
Contributor

You can test this PR using the following package version. 11.0.999-cibuild0040396-beta. (feed url: https://nuget-feed-all.avaloniaui.net/v3/index.json) [PRBUILDID]

@avaloniaui-team
Copy link
Contributor

You can test this PR using the following package version. 11.0.999-cibuild0040398-beta. (feed url: https://nuget-feed-all.avaloniaui.net/v3/index.json) [PRBUILDID]

@maxkatz6 maxkatz6 added this pull request to the merge queue Oct 3, 2023
Merged via the queue into AvaloniaUI:master with commit c102aad Oct 3, 2023
5 checks passed
@spofdamon spofdamon deleted the update-skiasharp-to-2886 branch October 3, 2023 11:15
@Mrxx99
Copy link
Contributor

Mrxx99 commented Oct 3, 2023

As this is a security fix it would make sense to backport to 11.0.x too

@maxkatz6 maxkatz6 added backport-candidate-11.0.x Consider this PR for backporting to 11.0 branch and removed backport-candidate-0.10.x labels Oct 3, 2023
grokys pushed a commit that referenced this pull request Oct 16, 2023
@spofdamon @grokys
Update SkiaSharp to 2.88.6 to fix a critical security vulnerability (#…
4c3943b 
…13109)

* Update SkiaSharp to 2.88.6 to fix a critical security vulnerability

* Looks like Tizen needs to be updated separately
@grokys grokys added backported-11.0.x and removed backport-candidate-11.0.x Consider this PR for backporting to 11.0 branch labels Oct 16, 2023
@timunie timunie mentioned this pull request Nov 15, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxkatz6 maxkatz6 maxkatz6 approved these changes

Assignees
No one assigned
Labels
backported-11.0.x
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Critical security issue in SkiaSharp < 2.88.6
5 participants
@spofdamon @avaloniaui-team @Mrxx99 @maxkatz6 @grokys