-
-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-4863 (libwebp heap buffer overflow) tracking #254798
Comments
(cherry picked from commit 6b29012)
(cherry picked from commit 6b29012) Co-authored-by: Pierre Bourdon <delroth@gmail.com>
i think one way you could check for vendored webp is with nix-locate, searching for libwebp.so, for example darktable might be vulnerable :
possibly also koreader
the full output
|
Thanks, that's indeed useful! I think the most common case though would be bundling the code and linking statically with the lib, which wouldn't necessarily be found by this - but maybe I'm just too pessimistic :) EDIT: added the ones you found to the tracking in the issue's first comment so we don't lose track of it. |
darktable: links with libwebp, the libwebp.so is an internal plugin and is not a vendored version. |
localsend: binary provenance, ships a vulnerable prebuilt libwebp (cc: @sikmir) |
golden-cheetah-bin: binary provenance, ships a vulnerable prebuilt libwebp (cc: @gador @adamcstephens) |
libreoffice sources file lists a libwebp-1.3.0.tar.gz (or libwebp-1.2.4.tar.gz for libreoffice-still) |
|
Ugh, and good luck finding all the things that end up transitively depending on that crate I guess. qnighy/libwebp-sys2-rs#21 I suggested they file a GHSA so dependabot can go and do its thing, but it might still take a while to trickle down through dependents. Anyway, libwebp-sys2 version 0.1.8 looks like it's fixed. |
There's also |
The libwebp-sys2 crate also will link against the system libwebp if it is found. |
But since it transparently falls back to the vendored source, I'm going to assume most Rust programs in nixpkgs haven't bothered declaring libwebp (and pkg-config?) as buildInputs... But at least that might give us a lever to patch without requiring an upstream cargo deps bump? |
...unless the application has enabled the libwebp-sys2 'static' feature, then it will skip looking for the system one and build its own 🙃 |
Unsure how to deal with the libwebp-sys2 things, which would still be vulnerable for cross-compiling and pkgsStatic. Opened an upstream issue: qnighy/libwebp-sys2-rs#23 |
Hi! Sorry for just popping in randomly, are there any publicly available workarounds for this issue currently? I'm on |
To make it better, I reported them this like 2 weeks ago! They're still working on running the npm command on the stable branch, give them some time! |
fluffychat and flutter updates have been backported now: #257166 |
I made a draft PR that contains the caprine-bin update (#257372), but the updated app turns out to be unusable (sindresorhus/caprine#2074). |
The above issue is resolved in Caprine 2.58.3. Please take a look at #257372. |
@Artturin @Scrumplex it was brought to my attention that the Darwin version for Discord was not bumped in 6 months, and is thus still vulnerable to this libwebp vuln. If nobody maintains this software can it be removed and/or marked as knownVulnerable? Thanks! |
I'd say that after a bit of wait you mark packages as vulnerable and that is the main way of finding out whether someone is really willing to keep it alive. |
I have bumped them in #257496. The main issue is that r-ryantm isn't helping us out here, as there is no |
|
|
See #254798. Upstream has not provided any update for this critical vulnerability in > 2 weeks. These programs are also likely vulnerable to many more old vulnerabilities due to using EOL versions of Electron.
See NixOS#254798. Upstream has not provided any update for this critical vulnerability in > 2 weeks. These programs are also likely vulnerable to many more old vulnerabilities due to using EOL versions of Electron. (cherry picked from commit dddf103)
All the packages I evaluated as being high-risk have now been taken care of (and most of them did actually get updates, woo! only marked 2 or 3 as insecure). Right now I don't think anyone has the bandwidth to try and track the rest. I'm going to close this bug - if someone does want to take over the remediation for the rest of the impacted packages, feel free to reopen and assign yourself. (Note however that there is a large overlap between vulnerable to this libwebp vuln and vulnerable to the recent libvpx vuln... so maybe just go help over there instead of reusing this bug.) |
Unpinning due to closing |
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/my-wishlist-for-nixos-security-in-2024/34999/22 |
Filing this issue to track CVE-2023-4863 related actions in nixpkgs. Feel free to send questions my way and/or contribute via comments in this issue!
What's CVE-2023-4863
A buffer overflow in
libwebp
which allows a malicious actor to potentially get code execution in software that displays a specially crafted image file. This impacts pretty much all web browsers, as well as other software which might process or display untrusted images (image editing software, email clients, chat clients, social media clients, etc.). Chrome has rated this vulnerability as critical severity and has indicated that they have evidence some actors are already exploiting it in the wild.This vulnerability was very shortly referred to as CVE-2023-5129, but that second CVE for the same vulnerability has since been withdrawn.
Current status
Firefox and Chromium are not vulnerable anymore as of 2023-09-16 in
unstable
and23.05
. Direct dependents of the systemlibwebp
are also not vulnerable anymore. Some applications bundle their own version of libwebp instead of using the system version (including some other web browsers in nixpkgs: Brave, Tor Browser, etc.). Each of these need to be updated separately by nixpkgs maintainers. See below for a list of all the known applications that need an update and their status.How to help
Task list
libsForQt5.qt5.qtimageformats
: add dependenciesjasper
,libmng
, andlibwebp
#255044 / [23.05] qt5.qtimageformats: unvendor libwebp #255432)golden-cheetah-bin: mark insecure due to CVE-2023-4863 #255339
[23.05] golden-cheetah-bin: mark insecure due to CVE-2023-4863 #258357
static
crate feature is enabled.Notes
knownVulnerable
at some point if upstream can't be convinced to make a new release.The text was updated successfully, but these errors were encountered: