[$NA][1479274] Critical CVE-2023-4863: Heap buffer overflow in WebP. Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School on 2023-09-06
Please bump to 116.0.5845.187.
We are not using the bundled libwebp
Does that make it invalid, or do we need to change it to a libwebp bug?
(In reply to Sam James from comment #3) > Does that make it invalid, or do we need to change it to a libwebp bug? Looks like it's https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a (same Chromium bug number).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3312efae7ac21c8551e2c4ebab45ffdc465f87db commit 3312efae7ac21c8551e2c4ebab45ffdc465f87db Author: Matt Jolly <Matt.Jolly@footclan.ninja> AuthorDate: 2023-09-12 01:31:51 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2023-09-12 02:41:14 +0000 media-libs/libwebp: add 1.3.1_p20230908 Bug: https://bugs.gentoo.org/914010 Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja> Signed-off-by: Mike Gilbert <floppym@gentoo.org> media-libs/libwebp/Manifest | 1 + media-libs/libwebp/libwebp-1.3.1_p20230908.ebuild | 74 +++++++++++++++++++++++ 2 files changed, 75 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7dc5b31de7332959edf926f3383df0af3cfde4d commit f7dc5b31de7332959edf926f3383df0af3cfde4d Author: Matt Jolly <Matt.Jolly@footclan.ninja> AuthorDate: 2023-09-11 22:30:57 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2023-09-12 02:41:10 +0000 www-client/chromium: add 116.0.5845.187 Updated raptor patches to 116.0.5845.140-1raptor0~deb12u1 Bug: https://bugs.gentoo.org/914010 Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja> Signed-off-by: Mike Gilbert <floppym@gentoo.org> www-client/chromium/Manifest | 2 + www-client/chromium/chromium-116.0.5845.187.ebuild | 1261 ++++++++++++++++++++ 2 files changed, 1263 insertions(+)
Maybe relevant: There has been another commit to the libwebp repository shortly after this vuln was fixed, and according to the description, it sounds like another buffer oob issue: https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520 Though it's hard to tell how severe without detailed analysis. Maybe we should bump to a new git snapshot to make sure we have that fix as well?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8314a1280b3ca5bcc95a8b7e671daf7975bfdff9 commit 8314a1280b3ca5bcc95a8b7e671daf7975bfdff9 Author: Matt Jolly <Matt.Jolly@footclan.ninja> AuthorDate: 2023-09-14 00:03:27 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-09-14 02:49:49 +0000 media-libs/libwebp: add 1.3.1_p20230912 Bug: https://bugs.gentoo.org/914010 Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja> Closes: https://github.com/gentoo/gentoo/pull/32768 Signed-off-by: Sam James <sam@gentoo.org> media-libs/libwebp/Manifest | 1 + media-libs/libwebp/libwebp-1.3.1_p20230912.ebuild | 74 +++++++++++++++++++++++ 2 files changed, 75 insertions(+)
You did a snapshot bump from main branch which is more a 1.4.0_pre. There is now a 1.3.2 release which contains the security fix.
(In reply to Stephan Hartmann from comment #8) > You did a snapshot bump from main branch which is more a 1.4.0_pre. There is > now a 1.3.2 release which contains the security fix. ...I hope this does not end up being a case of breaking things when go back to 1.3.2 without rebuilding things that were built against the snapshot.
Honestly I'm not worried. 90% of the changes are style, spec, or fuzzers then there's the two commits that we care about, and some dependent changes in `ReadHuffmanCodes` that caaused me to snapshot in the first place. Outstanding: - update to libsharpyuv - two commits adding additional SSE/SSE2 bits - a typo fix I'm actually more annoyed that this will be the _third_ bump in what feels like five minutes.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=d361bb64925c940e98cf1429e87cc88bb33ce358 commit d361bb64925c940e98cf1429e87cc88bb33ce358 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-09-17 05:52:57 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-09-17 05:53:28 +0000 [ GLSA 202309-05 ] WebP: Multiple vulnerabilities Bug: https://bugs.gentoo.org/909369 Bug: https://bugs.gentoo.org/914010 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202309-05.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=12cc5973de5021fbaea8f37bc4f185c5854713c8 commit 12cc5973de5021fbaea8f37bc4f185c5854713c8 Author: Matt Jolly <Matt.Jolly@footclan.ninja> AuthorDate: 2023-09-15 23:52:20 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-09-17 06:15:06 +0000 media-libs/libwebp: add 1.3.2 This release came out after the last two 1.3.1 snapshots, but only contains the CVE fix. We're _not_ vulnerable, but it's good to be consistent and will stop anyone from claiming that we are based simply on the version string. Bug: https://bugs.gentoo.org/914010 Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja> Closes: https://github.com/gentoo/gentoo/pull/32819 Signed-off-by: Sam James <sam@gentoo.org> media-libs/libwebp/Manifest | 1 + media-libs/libwebp/libwebp-1.3.2.ebuild | 73 +++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b1eb4b6af17f366397ff9754d6e4a6744a7310f commit 9b1eb4b6af17f366397ff9754d6e4a6744a7310f Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2023-12-22 01:40:13 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-12-22 01:40:13 +0000 media-libs/libwebp: drop 1.2.4-r2 Bug: https://bugs.gentoo.org/914010 Signed-off-by: John Helmert III <ajak@gentoo.org> media-libs/libwebp/Manifest | 1 - media-libs/libwebp/libwebp-1.2.4-r2.ebuild | 78 ------------------------------ 2 files changed, 79 deletions(-)