Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 919456

Summary: <app-admin/bitwarden-desktop-bin-2023.12.0 WebP security vulnterability
Product: Gentoo Security Reporter: nvaert1986 <nvaert1986>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ajak, csfore, kensington
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/bitwarden/clients/releases/tag/desktop-v2023.9.0
See Also: https://github.com/bitwarden/clients/pull/6295
https://github.com/gentoo/gentoo/pull/34223
Whiteboard: ~1 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 916688    
Bug Blocks: 914072    

Description nvaert1986 2023-12-08 11:01:28 UTC
As already requested per: https://bugs.gentoo.org/916688. Please update the version of app-admin/bitwarden-desktop-bin to 2023.9.0 or higher due to the WebP security 

Reproducible: Always

Steps to Reproduce:
1.Run emerge -pv bitwarden-desktop-bin and notice that the latest version in portage is 2023.7.1.
Actual Results:  
An outdated version of app-admin/bitwarden-desktop-bin.

Expected Results:  
A secure up-to-date version of app-admin/bitwarden-desktop-bin.

Let me know if there's any additional information is necessary.
Comment 1 Eli Schwartz 2023-12-08 15:14:09 UTC
If it was already requested then why request it a second time?
Comment 2 nvaert1986 2023-12-08 16:11:41 UTC
This bug is related to security vulnerability, the other was just a regular bump request. Feel free to close, merge, or link one of them, I figured I'd report it separately as some matter of importance due to security bugs (though unlikely to be exploited it could be done)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-12-22 01:43:38 UTC
I presume the primary fixed vulnerabilities here are CVE-2023-4863 and CVE-2023-5129?
Comment 4 nvaert1986 2023-12-22 07:19:57 UTC
This is (In reply to John Helmert III from comment #3)
> I presume the primary fixed vulnerabilities here are CVE-2023-4863 and
> CVE-2023-5129?

This is correct
Comment 5 nvaert1986 2023-12-22 07:27:11 UTC
It was basically included in 2023.9.0 as they upgraded the Electron version to 24.8.3. Some say there is no direct impact, while others state it can have an impact through rendering an external icon as described here: https://community.bitwarden.com/t/cve-2023-4863-cve-2023-5129/58580/3

"It can through the icons feature. While I don’t have a webp image file to test the exploit, I have tested that the desktop electron client happily renders a webp image - if served by the icons server."
Comment 6 Larry the Git Cow gentoo-dev 2024-01-07 00:16:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=92a6e2bb1657b621864ef3fc3bd6fc2c97bd69cf

commit 92a6e2bb1657b621864ef3fc3bd6fc2c97bd69cf
Author:     Christopher Fore <csfore@posteo.net>
AuthorDate: 2023-12-10 20:39:47 +0000
Commit:     Yixun Lan <dlan@gentoo.org>
CommitDate: 2024-01-07 00:08:56 +0000

    app-admin/bitwarden-desktop-bin: add 2023.12.0
    
    Bug: https://bugs.gentoo.org/919456
    Closes: https://bugs.gentoo.org/916688
    Closes: https://github.com/gentoo/gentoo/pull/34223
    Signed-off-by: Christopher Fore <csfore@posteo.net>
    Signed-off-by: Yixun Lan <dlan@gentoo.org>

 app-admin/bitwarden-desktop-bin/Manifest           |  1 +
 .../bitwarden-desktop-bin-2023.12.0.ebuild         | 90 ++++++++++++++++++++++
 2 files changed, 91 insertions(+)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-02-10 05:51:52 UTC
~ is all-unstable and noglsa, but we need cleanup.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-03-17 03:56:16 UTC
Please don't forget to update the whiteboard when closing.