libwebp: cherry-pick suspected upstream fix for CVE-2023-4863

[delroth]

Description of changes

This CVE is critical severity and has been exploited in the wild. It was reported as being a Chromium vulnerability, but it seems to in fact impact libwebp (and thus all its downstream users). There is however no official confirmation of this yet.

The upstream fix patch (webmproject/libwebp@902bc919) does not cleanly apply onto 1.3.1, so we vendor a very slightly modified version which does cleanly apply. This is my original work, so YMMV on whether you trust it or not, reviews very much welcomed :-)

cc @vcunat since I'm targeting staging-next with this.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.11 Release Notes (or backporting 23.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[delroth]

(Also open to better ideas than "vendoring a patch not validating by upstream", but I have no clue how I'd even get started engaging with upstream here since their development process is extremely opaque to outsiders.)

[delroth]

My backport of the patch seems to match Mozilla's, FWIW: https://hg.mozilla.org/releases/mozilla-release/rev/e245ca2125a6eb1e2d08cc9e5824f15e1e67a566

I've diffed the result of applying my patch and Mozilla patch, they're identical.

[vcunat]

Assuming nontrivial security concerns, staging-next is a good choice for this amount of rebuilds (~30k total last time) – at least in the current situation. I haven't reviewed the patch (backport).

[vcunat]

If this PR goes fast, I think we'd get to nixos-unstable in a few days, during weekend latest.

[delroth]

@mweinelt as de facto security lead (if you disagree, name who you think is de facto security lead :P) please LGTM this for the approach taken and whether we should send this to staging-next as soon as this is reviewed, or whether we should wait for something else. Or delegate that decision to someone else :)

[mweinelt]

I think we can merge to staging-next now, I was trying to run the firefox tests, but pylint is currently broken on staging-next. Will try to look into that tonight.

[yu-re-ka]

The idea seems reasonable, and I compared the patch to mozilla's

[github-actions]

Backport failed for staging-23.05, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git fetch origin staging-23.05
git worktree add -d .worktree/backport-254775-to-staging-23.05 origin/staging-23.05
cd .worktree/backport-254775-to-staging-23.05
git checkout -b backport-254775-to-staging-23.05
ancref=$(git merge-base 92f41becba5701c37372ad1a990a31893779b43d 0f11042876c07f1abbe172d9c8fe41feedd0be9c)
git cherry-pick -x $ancref..0f11042876c07f1abbe172d9c8fe41feedd0be9c

[delroth]

I'll send a backport PR shortly.

[ajs124]

There's an upstream release now webmproject/libwebp@v1.3.1...v1.3.2