New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libwebp: cherry-pick suspected upstream fix for CVE-2023-4863 #254775
Conversation
This CVE is critical severity and has been exploited in the wild. It was reported as being a Chromium vulnerability, but it seems to in fact impact libwebp (and thus all its downstream users). There is however no official confirmation of this yet. The upstream fix patch (webmproject/libwebp@902bc919) does not cleanly apply onto 1.3.1, so we vendor a very slightly modified version which does cleanly apply. This is my original work, so YMMV on whether you trust it or not, reviews very much welcomed :-)
(Also open to better ideas than "vendoring a patch not validating by upstream", but I have no clue how I'd even get started engaging with upstream here since their development process is extremely opaque to outsiders.) |
My backport of the patch seems to match Mozilla's, FWIW: https://hg.mozilla.org/releases/mozilla-release/rev/e245ca2125a6eb1e2d08cc9e5824f15e1e67a566 I've diffed the result of applying my patch and Mozilla patch, they're identical. |
Assuming nontrivial security concerns, |
If this PR goes fast, I think we'd get to nixos-unstable in a few days, during weekend latest. |
@mweinelt as de facto security lead (if you disagree, name who you think is de facto security lead :P) please LGTM this for the approach taken and whether we should send this to staging-next as soon as this is reviewed, or whether we should wait for something else. Or delegate that decision to someone else :) |
I think we can merge to staging-next now, I was trying to run the firefox tests, but pylint is currently broken on staging-next. Will try to look into that tonight. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea seems reasonable, and I compared the patch to mozilla's
Backport failed for Please cherry-pick the changes locally. git fetch origin staging-23.05
git worktree add -d .worktree/backport-254775-to-staging-23.05 origin/staging-23.05
cd .worktree/backport-254775-to-staging-23.05
git checkout -b backport-254775-to-staging-23.05
ancref=$(git merge-base 92f41becba5701c37372ad1a990a31893779b43d 0f11042876c07f1abbe172d9c8fe41feedd0be9c)
git cherry-pick -x $ancref..0f11042876c07f1abbe172d9c8fe41feedd0be9c |
I'll send a backport PR shortly. |
Same patch as used for main/libwebp but with adjusted paths to include src/3rdparty/libwebp/ Origin: NixOS/nixpkgs#254775
Same patch as used for main/libwebp but with adjusted paths to include src/3rdparty/libwebp/ Origin: NixOS/nixpkgs#254775
Same patch as used for main/libwebp but with adjusted paths to include src/3rdparty/libwebp/ Origin: NixOS/nixpkgs#254775
Same patch as used for main/libwebp but with adjusted paths to include src/3rdparty/libwebp/ Origin: NixOS/nixpkgs#254775
There's an upstream release now webmproject/libwebp@v1.3.1...v1.3.2 |
Description of changes
This CVE is critical severity and has been exploited in the wild. It was reported as being a Chromium vulnerability, but it seems to in fact impact libwebp (and thus all its downstream users). There is however no official confirmation of this yet.
The upstream fix patch (webmproject/libwebp@902bc919) does not cleanly apply onto 1.3.1, so we vendor a very slightly modified version which does cleanly apply. This is my original work, so YMMV on whether you trust it or not, reviews very much welcomed :-)
cc @vcunat since I'm targeting staging-next with this.
Things done
sandbox = true
set innix.conf
? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)