CVE-2023-4863 (libwebp heap buffer overflow) tracking

[delroth]

Filing this issue to track CVE-2023-4863 related actions in nixpkgs. Feel free to send questions my way and/or contribute via comments in this issue!

What's CVE-2023-4863

A buffer overflow in libwebp which allows a malicious actor to potentially get code execution in software that displays a specially crafted image file. This impacts pretty much all web browsers, as well as other software which might process or display untrusted images (image editing software, email clients, chat clients, social media clients, etc.). Chrome has rated this vulnerability as critical severity and has indicated that they have evidence some actors are already exploiting it in the wild.

This vulnerability was very shortly referred to as CVE-2023-5129, but that second CVE for the same vulnerability has since been withdrawn.

Current status

Firefox and Chromium are not vulnerable anymore as of 2023-09-16 in unstable and 23.05. Direct dependents of the system libwebp are also not vulnerable anymore. Some applications bundle their own version of libwebp instead of using the system version (including some other web browsers in nixpkgs: Brave, Tor Browser, etc.). Each of these need to be updated separately by nixpkgs maintainers. See below for a list of all the known applications that need an update and their status.

How to help

• Review/merge any nixpkgs PR that you see pending in the task list below.
• Help figure out a course of action for yet untriaged packages. Report your findings and suggested course of action in a comment here, and I'll update the sheet and the task list below.
• If you have an idea of how to fix/address the vulnerability in any of the packages listed in the task list below, don't hesitate to post a comment here and send pull requests! Feel free to cc me on PRs so I can make sure they're tracked and they don't get lost.

Task list

• libwebp is updated in staging-next (unstable: libwebp: cherry-pick suspected upstream fix for CVE-2023-4863 #254775, 23.05: [staging-23.05] libwebp: cherry-pick suspected upstream fix for CVE-2023-4863 #254789)
  • This will make it to master via staging-next 2023-09-07 #253854 - @vcunat said likely this weekend.
  • We need to merge staging-23.05 to release-23.05. That should also finish this week: staging-next-23.05 iteration 8 - 2023-09-13 #254997
• electron is also vulnerable. Upstream is making new releases on all their supported branches to include the patch.
  • electron 26 bumped in master (electron: 26.1.0 -> 26.2.1 (CVE-2023-4863, #254798) #254816).
  • electron 25 bumped in master (Electron 22/24/25 version bumps for CVE-2023-4863 #255069).
  • electron 24 bumped in master (Electron 22/24/25 version bumps for CVE-2023-4863 #255069).
  • electron 22 bumped in master (Electron 22/24/25 version bumps for CVE-2023-4863 #255069).
  • electron 26 bumped in 23.05 ([Backport release-23.05] electron: 26.1.0 -> 26.2.1 (CVE-2023-4863, #254798) #254819).
  • electron 25 bumped in 23.05 ([Backport release-23.05] Electron 22/24/25 version bumps for CVE-2023-4863 #255072).
  • electron 24 bumped in 23.05 ([Backport release-23.05] Electron 22/24/25 version bumps for CVE-2023-4863 #255072).
  • electron 22 bumped in 23.05 ([Backport release-23.05] Electron 22/24/25 version bumps for CVE-2023-4863 #255072).
• We should figure out what else might be vendoring libwebp. Not sure if there's tooling for this? List of derivations to investigate further and possibly patch:
  • List of stuff found to vendor libwebp + triaging status
  • High risk stuff (mail clients, IM clients, web browsers)
    • armcord
    • caprine-bin (caprine-bin: 2.58.0 -> 2.58.3 #257372, [Backport 23.05] caprine-bin: 2.55.5 -> 2.58.3 #257472)
    • discord (discord: 0.0.29 -> 0.0.30 #256943, [Backport release-23.05] discord: 0.0.29 -> 0.0.30 #256994)
      • Darwin version: discord: Darwin updates #257496 / [Backport release-23.05] discord: Darwin updates #257716
    • fluffychat (Backport all flutter & flutter package changes to 23.05 #257166)
    • gitter (gitter: remove (unmaintained upstream, probably useless now) #255784, [release-23.05] gitter: mark vulnerable to CVE-2023-4863 #255786)
    • mailspring
    • mattermost-desktop (mattermost-desktop: 5.3.1 -> 5.5.0 #257162 / [Backport release-23.05] mattermost-desktop: 5.3.1 -> 5.5.0 #257243)
    • mautrix-whatsapp (mautrix-whatsapp: 0.10.1 -> 0.10.2 #256178 / 23.05 [Backport release-23.05] mautrix-whatsapp: 0.10.1 -> 0.10.2 #256209)
    • microsoft-edge (microsoft-edge: 116.0.1938.76 -> 117.0.2045.35 #256223 / [Backport release-23.05] microsoft-edge: 116.0.1938.76 -> 117.0.2045.35 #256595)
    • mullvad-browser (mullvad-browser: 12.5.3 -> 12.5.4 #255078 / [Backport release-23.05] mullvad-browser: 12.5.3 -> 12.5.4 #255106)
    • palemoon-bin (palemoon-bin: 32.3.1 -> 32.4.0.1 #257126, [Backport release-23.05] palemoon-bin: 32.3.1 -> 32.4.0.1 #257614)
    • rocketchat-desktop (rocketchat-desktop: 3.8.11 -> 3.9.7 #255910 / [Backport release-23.05] rocketchat-desktop: 3.8.11 -> 3.9.7 #257128)
    • signal-desktop (signal-desktop: 6.30.1 -> 6.30.2 #255129, [release-23.05] signal-desktop: 6.29.1 -> 6.30.2 (CVE-2023-4863, #254798) #255139)
    • signal-desktop-beta (signal-desktop: 6.30.2 -> 6.31.0, signal-desktop-beta: 6.31.0-beta.1 -> 6.32.0-beta.1 #256435 / [Backport release-23.05] signal-desktop-beta: 6.30.0-beta.2 -> 6.31.0-beta.1, signal-desktop-beta: 6.31.0-beta.1 -> 6.32.0-beta.1 #257169)
    • slack (slack: 4.34.115 -> 4.34.120 #257135 / [Backport release-23.05] slack: 4.29.149 -> 4.34.120 (linux), 4.29.149 -> 4.34.119 (darwin) #257149)
    • threema-desktop (embedded electron not used)
    • tor-browser-bundle-bin (tor-browser-bundle-bin: 12.5.3 -> 12.5.4 #255076 / [Backport release-23.05] tor-browser-bundle-bin: 12.5.3 -> 12.5.4 #255105)
    • tutanota-desktop (tutanota-desktop: 3.115.2 -> 3.118.7 #255335 / [Backport release-23.05] tutanota-desktop: 3.112.6 -> 3.118.7 #255888)
  • Libs that other stuff might depend on
    • flutter
    • libcef (libcef: 116.0.21 -> 116.0.24 #256001 / [release-23.05] libcef: 112.3.0 -> 116.0.24 #256003)
    • opencv (opencv3,opencv4: disable some unnecessary vendoring on Darwin #256444 / [Backport release-23.05] opencv3,opencv4: disable some unnecessary vendoring on Darwin #257726)
    • qt5.qtimageformats (libsForQt5.qt5.qtimageformats: add dependencies jasper, libmng, and libwebp #255044 / [23.05] qt5.qtimageformats: unvendor libwebp #255432)
    • qtwebengine (darwin only, maybe?)
    • smooth (smooth: unvendor all the things #255994 / [Backport release-23.05] smooth: unvendor all the things #256182)
  • darktable (CVE-2023-4863 (libwebp heap buffer overflow) tracking #254798 (comment))
  • golden-cheetah-bin: ships a vulnerable prebuilt libwebp (cc: @gador @adamcstephens)
    golden-cheetah-bin: mark insecure due to CVE-2023-4863 #255339
    [23.05] golden-cheetah-bin: mark insecure due to CVE-2023-4863 #258357
  • koreader: ships a vulnerable prebuilt libwebp (cc: @contrun @neonfuz)
  • libreoffice (CVE-2023-4863 (libwebp heap buffer overflow) tracking #254798 (comment))
  • localsend: ships a vulnerable prebuilt libwebp (cc: @sikmir)
  • obs-studio (CVE-2023-4863 (libwebp heap buffer overflow) tracking #254798 (comment))
  • rigsofrods-bin (ships a vulnerable prebuilt libwebp (cc: @wegank))
  • Anything Rust that depends (transitively or not) on libwebp-sys2 < v0.1.8
    • libwebp-sys2 might silently decide to build its vendored version, if it can't find system libwebp or if the static crate feature is enabled.
    • gst_all_1.gst-plugins-rs (gst_all_1.gst-plugins-rs: check that system libwebp was linked #254915)
    • catppuccin-catwalk (catppucin-catwalk: use system libwebp #254911)
  • Anything Rust that depends (transitively or not) on libwebp-sys < v0.9.3
    • Linking against system webp is intentionally not supported: Support linking to system-installed libwebp NoXF/libwebp-sys#17
    • oculante oculante: 0.7.4 -> 0.7.5 #255247
  • .NET software that uses SkiaSharp. Upstream has yet to release a fixed version. ([BUG] SkiaSharp vendors libwebp vulnerable to CVE-2023-4863 mono/SkiaSharp#2608)
    • avalonia-ilspy
    • BeatSaberModManager
    • denaro
    • galaxy-buds-client
    • jellyfin
    • mission-planner
    • mqttmultimeter
    • opentracker
    • openutau
    • ryujinx
    • scarab
    • wasabiwallet
  • Go software linking with https://github.com/chai2010/webp (CVE-2023-4863 impacting libwebp 1.0.2 chai2010/webp#61, Vendored libwebp is vulnerable to CVE-2023-4863 bep/gowebp#7) - broken down per vulnerable lib
    • https://github.com/chai2010/webp (unmaintained, likely never getting patched - action should be getting upstream to migrate away)
      • hydron (hydron: mark as vulnerable to CVE-2023-4863 #255959 / [Backport release-23.05] hydron: mark as vulnerable to CVE-2023-4863 #256181)
      • mautrix-whatsapp (mautrix-whatsapp uses an unmaintained webp library, vulnerable to CVE-2023-4863 mautrix/whatsapp#650)
    • https://github.com/bep/gowebp (Vendored libwebp is vulnerable to CVE-2023-4863 bep/gowebp#7)
      • hugo
  • Godot related derivations: these should be unvendored (capability already exists in the build system).
    • godot_4
    • godot3
    • godot3-server
    • godot3-headless
    • godot3-export-templates
    • Built using Godot
      • lorien
      • oh-my-git
  • Electron apps where we ship upstream binaries instead of using nixpkgs electron
    • Best course of action: upstream should update to electron >= 26.2.1, >= 25.8.1, >= 24.8.3, or >= 22.3.24 and tag a new release
    • atom
    • hakuneko
    • hyper
    • indigenous-desktop
    • joplin-desktop
    • keeweb (unmaintained, mark as insecure?)
    • keybase-gui
    • insomnia
    • mullvad-vpn
    • simplenote

Notes

• For derivations that vendor a vulnerable libwebp, priority list of preferred action to take:
  • De-vendor libwebp and use the version from nixpkgs. (Difficult/impossible for binary provenance derivations.)
  • Update to a new version from upstream that has a more recent libwebp patched for the vulnerability (TODO: how to check?)
  • Mark as knownVulnerable at some point if upstream can't be convinced to make a new release.
• List of all software in nixpkgs known to contain libwebp: https://gist.github.com/delroth/a49ce318c4a2c28ec3d7c8bc4adb9b61

[delroth]

https://github.com/electron/electron/releases/tag/v26.2.1 is now out

[theotheroracle]

i think one way you could check for vendored webp is with nix-locate, searching for libwebp.so, for example darktable might be vulnerable :

darktable.out                                    35,056 x /nix/store/1gzd3ccrpay6gxzcpdgyw32rxbjx14hg-darktable-4.4.1/lib/darktable/plugins/imageio/format/libwebp.so

possibly also koreader

koreader.out                                    453,256 r /nix/store/v1mbs4f2mi9zcx89b52qf0yajrj5kp27-koreader-2023.04/lib/koreader/libs/libwebp.so.7

the full output

(wineWowPackages.waylandFull.out)                     0 s /nix/store/z0i5x86ah38yfg72wg4zc1fsgi0q0m96-libwebp-1.3.1/lib/libwebp.so
(wineWowPackages.waylandFull.out)                     0 s /nix/store/z0i5x86ah38yfg72wg4zc1fsgi0q0m96-libwebp-1.3.1/lib/libwebp.so.7
(wineWowPackages.waylandFull.out)               516,292 x /nix/store/z0i5x86ah38yfg72wg4zc1fsgi0q0m96-libwebp-1.3.1/lib/libwebp.so.7.1.7
rigsofrods-bin.out                              420,216 x /nix/store/2gy1acpf7f1rx4q7jwnv2bfnf7qak95f-rigsofrods-bin-2022.12/share/rigsofrods/lib/libwebp.so.6
rigsofrods-bin.out                              420,216 x /nix/store/2gy1acpf7f1rx4q7jwnv2bfnf7qak95f-rigsofrods-bin-2022.12/share/rigsofrods/lib/libwebp.so.6.0.2
(localsend.out)                                       0 s /nix/store/zr6y7jlfryldg25bjvqcrpkqpsln6jrr-localsend-1.10.0-extracted/usr/lib/x86_64-linux-gnu/libwebp.so.7
(localsend.out)                                 428,592 r /nix/store/zr6y7jlfryldg25bjvqcrpkqpsln6jrr-localsend-1.10.0-extracted/usr/lib/x86_64-linux-gnu/libwebp.so.7.1.3
libwebp.out                                           0 s /nix/store/6h8vv9b2i00xzv48a2pm72k90rh26fhi-libwebp-1.3.1/lib/libwebp.so
libwebp.out                                           0 s /nix/store/6h8vv9b2i00xzv48a2pm72k90rh26fhi-libwebp-1.3.1/lib/libwebp.so.7
libwebp.out                                     492,424 x /nix/store/6h8vv9b2i00xzv48a2pm72k90rh26fhi-libwebp-1.3.1/lib/libwebp.so.7.1.7
koreader.out                                    453,256 r /nix/store/v1mbs4f2mi9zcx89b52qf0yajrj5kp27-koreader-2023.04/lib/koreader/libs/libwebp.so.7
(heroic.out)                                          0 s /nix/store/jcwmqv6mx9syrvr6a51km033wzv59swb-heroic-usr-target/lib/libwebp.so
(heroic.out)                                          0 s /nix/store/jcwmqv6mx9syrvr6a51km033wzv59swb-heroic-usr-target/lib/libwebp.so.7
(heroic.out)                                          0 s /nix/store/jcwmqv6mx9syrvr6a51km033wzv59swb-heroic-usr-target/lib/libwebp.so.7.1.7
(heroic.out)                                          0 s /nix/store/4j8r7q0f7q0vfzx87lyy9mj7h3099ik7-heroic-usr-multi/lib/libwebp.so
(heroic.out)                                          0 s /nix/store/4j8r7q0f7q0vfzx87lyy9mj7h3099ik7-heroic-usr-multi/lib/libwebp.so.7
(heroic.out)                                          0 s /nix/store/4j8r7q0f7q0vfzx87lyy9mj7h3099ik7-heroic-usr-multi/lib/libwebp.so.7.1.7
(heroic.out)                                          0 s /nix/store/7safyyman55cnbfb1d0i2pc1q79dxyzi-heroic-fhs/usr/lib32/libwebp.so
(heroic.out)                                          0 s /nix/store/7safyyman55cnbfb1d0i2pc1q79dxyzi-heroic-fhs/usr/lib32/libwebp.so.7
(heroic.out)                                          0 s /nix/store/7safyyman55cnbfb1d0i2pc1q79dxyzi-heroic-fhs/usr/lib32/libwebp.so.7.1.7
(heroic.out)                                          0 s /nix/store/7safyyman55cnbfb1d0i2pc1q79dxyzi-heroic-fhs/usr/lib64/libwebp.so
(heroic.out)                                          0 s /nix/store/7safyyman55cnbfb1d0i2pc1q79dxyzi-heroic-fhs/usr/lib64/libwebp.so.7
(heroic.out)                                          0 s /nix/store/7safyyman55cnbfb1d0i2pc1q79dxyzi-heroic-fhs/usr/lib64/libwebp.so.7.1.7
(golden-cheetah-bin.out)                        424,896 r /nix/store/wpy2vpbkvqa7j4nw9vi93znfckwikl5y-golden-cheetah-3.6-RC4-extracted/lib/libwebp.so.6
darktable.out                                    35,056 x /nix/store/1gzd3ccrpay6gxzcpdgyw32rxbjx14hg-darktable-4.4.1/lib/darktable/plugins/imageio/format/libwebp.so

[delroth]

i think one way you could check for vendored webp is with nix-locate, searching for libwebp.so

Thanks, that's indeed useful! I think the most common case though would be bundling the code and linking statically with the lib, which wouldn't necessarily be found by this - but maybe I'm just too pessimistic :)

EDIT: added the ones you found to the tracking in the issue's first comment so we don't lose track of it.

[delroth]

darktable: links with libwebp, the libwebp.so is an internal plugin and is not a vendored version.

[delroth]

koreader: binary provenance, ships a vulnerable prebuilt libwebp (cc: @contrun @neonfuz).

[delroth]

localsend: binary provenance, ships a vulnerable prebuilt libwebp (cc: @sikmir)

[delroth]

golden-cheetah-bin: binary provenance, ships a vulnerable prebuilt libwebp (cc: @gador @adamcstephens)

[yu-re-ka]

libreoffice sources file lists a libwebp-1.3.0.tar.gz (or libwebp-1.2.4.tar.gz for libreoffice-still)

[yu-re-ka]

oculante, gst_all_1.gst-plugins-rs vendor libwebp via the rust crate libwebp-sys2

[delroth]

oculante, gst_all_1.gst-plugins-rs vendor libwebp via the rust crate libwebp-sys2

Ugh, and good luck finding all the things that end up transitively depending on that crate I guess. qnighy/libwebp-sys2-rs#21 I suggested they file a GHSA so dependabot can go and do its thing, but it might still take a while to trickle down through dependents.

Anyway, libwebp-sys2 version 0.1.8 looks like it's fixed.

[delroth]

libreoffice sources file lists a libwebp-1.3.0.tar.gz (or libwebp-1.2.4.tar.gz for libreoffice-still)

There's also ++ optionals (lib.versionAtLeast (lib.versions.majorMinor version) "7.4") [ libwebp ]; and I can't seem to find the vendored code by grepping for strings in the binaries. Would need further checking, but I'm tempted to say libreoffice is fine?

[yu-re-ka]

The libwebp-sys2 crate also will link against the system libwebp if it is found.
I'm currently compiling a list of rust packages that use libwebp-sys2.

[delroth]

The libwebp-sys2 crate also will link against the system libwebp if it is found.

But since it transparently falls back to the vendored source, I'm going to assume most Rust programs in nixpkgs haven't bothered declaring libwebp (and pkg-config?) as buildInputs... But at least that might give us a lever to patch without requiring an upstream cargo deps bump?

[yu-re-ka]

...unless the application has enabled the libwebp-sys2 'static' feature, then it will skip looking for the system one and build its own 🙃

[yu-re-ka]

Unsure how to deal with the libwebp-sys2 things, which would still be vulnerable for cross-compiling and pkgsStatic. Opened an upstream issue: qnighy/libwebp-sys2-rs#23

[xyzeva]

Hi!

Sorry for just popping in randomly, are there any publicly available workarounds for this issue currently? I'm on nixos-unstable, but it seems like firefox nor others have gotten their version bump on that branch.

[xyzeva]

Great, thanks for looking into it! Hopefully they'll roll out that update to the stable branch soon... I guess it's difficult for a small indie developer like them, it's only been 2 weeks since the fix was made available! :-)

To make it better, I reported them this like 2 weeks ago! They're still working on running the npm command on the stable branch, give them some time!

[mkg20001]

fluffychat and flutter updates have been backported now: #257166

[ShamrockLee]

I made a draft PR that contains the caprine-bin update (#257372), but the updated app turns out to be unusable (sindresorhus/caprine#2074).

[ShamrockLee]

I made a draft PR that contains the caprine-bin update (#257372), but the updated app turns out to be unusable (sindresorhus/caprine#2074).

The above issue is resolved in Caprine 2.58.3. Please take a look at #257372.

[delroth]

@Artturin @Scrumplex it was brought to my attention that the Darwin version for Discord was not bumped in 6 months, and is thus still vulnerable to this libwebp vuln.

If nobody maintains this software can it be removed and/or marked as knownVulnerable? Thanks!

[vcunat]

I'd say that after a bit of wait you mark packages as vulnerable and that is the main way of finding out whether someone is really willing to keep it alive.

[Scrumplex]

it was brought to my attention that the Darwin version for Discord was not bumped in 6 months, and is thus still vulnerable to this libwebp vuln.

If nobody maintains this software can it be removed and/or marked as knownVulnerable? Thanks!

I have bumped them in #257496. The main issue is that r-ryantm isn't helping us out here, as there is no updateScript for the darwin packaging. Not sure if any of the other Discord maintainers are using Darwin, but I certainly don't and would need some assistance testing these.

[ShamrockLee]

losslesscut-bin is affected. I created mifi/lossless-cut#1726 to remind the LosslessCut upstream to make a new patch release, so that me can update losslesscut-bin.

[OPNA2608]

palemoon-bin is affected, fix: #257126

[delroth]

All the packages I evaluated as being high-risk have now been taken care of (and most of them did actually get updates, woo! only marked 2 or 3 as insecure). Right now I don't think anyone has the bandwidth to try and track the rest. I'm going to close this bug - if someone does want to take over the remediation for the rest of the impacted packages, feel free to reopen and assign yourself.

(Note however that there is a large overlap between vulnerable to this libwebp vuln and vulnerable to the recent libvpx vuln... so maybe just go help over there instead of reusing this bug.)

[fabianhjr]

Unpinning due to closing

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/my-wishlist-for-nixos-security-in-2024/34999/22