Summary: | <app-admin/bitwarden-desktop-bin-2023.12.0 WebP security vulnterability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | nvaert1986 <nvaert1986> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ajak, csfore, kensington |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/bitwarden/clients/releases/tag/desktop-v2023.9.0 | ||
See Also: |
https://github.com/bitwarden/clients/pull/6295 https://github.com/gentoo/gentoo/pull/34223 |
||
Whiteboard: | ~1 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 916688 | ||
Bug Blocks: | 914072 |
Description
nvaert1986
2023-12-08 11:01:28 UTC
If it was already requested then why request it a second time? This bug is related to security vulnerability, the other was just a regular bump request. Feel free to close, merge, or link one of them, I figured I'd report it separately as some matter of importance due to security bugs (though unlikely to be exploited it could be done) I presume the primary fixed vulnerabilities here are CVE-2023-4863 and CVE-2023-5129? This is (In reply to John Helmert III from comment #3) > I presume the primary fixed vulnerabilities here are CVE-2023-4863 and > CVE-2023-5129? This is correct It was basically included in 2023.9.0 as they upgraded the Electron version to 24.8.3. Some say there is no direct impact, while others state it can have an impact through rendering an external icon as described here: https://community.bitwarden.com/t/cve-2023-4863-cve-2023-5129/58580/3 "It can through the icons feature. While I don’t have a webp image file to test the exploit, I have tested that the desktop electron client happily renders a webp image - if served by the icons server." The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=92a6e2bb1657b621864ef3fc3bd6fc2c97bd69cf commit 92a6e2bb1657b621864ef3fc3bd6fc2c97bd69cf Author: Christopher Fore <csfore@posteo.net> AuthorDate: 2023-12-10 20:39:47 +0000 Commit: Yixun Lan <dlan@gentoo.org> CommitDate: 2024-01-07 00:08:56 +0000 app-admin/bitwarden-desktop-bin: add 2023.12.0 Bug: https://bugs.gentoo.org/919456 Closes: https://bugs.gentoo.org/916688 Closes: https://github.com/gentoo/gentoo/pull/34223 Signed-off-by: Christopher Fore <csfore@posteo.net> Signed-off-by: Yixun Lan <dlan@gentoo.org> app-admin/bitwarden-desktop-bin/Manifest | 1 + .../bitwarden-desktop-bin-2023.12.0.ebuild | 90 ++++++++++++++++++++++ 2 files changed, 91 insertions(+) ~ is all-unstable and noglsa, but we need cleanup. Please don't forget to update the whiteboard when closing. |