Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 919456 - <app-admin/bitwarden-desktop-bin-2023.12.0 WebP security vulnterability
Summary: <app-admin/bitwarden-desktop-bin-2023.12.0 WebP security vulnterability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Security
Whiteboard: ~1 [noglsa]
Keywords: PullRequest
Depends on: 916688
Blocks: CVE-2023-4863, CVE-2023-5129
  Show dependency tree
Reported: 2023-12-08 11:01 UTC by nvaert1986
Modified: 2024-03-17 03:56 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description nvaert1986 2023-12-08 11:01:28 UTC
As already requested per: Please update the version of app-admin/bitwarden-desktop-bin to 2023.9.0 or higher due to the WebP security 

Reproducible: Always

Steps to Reproduce:
1.Run emerge -pv bitwarden-desktop-bin and notice that the latest version in portage is 2023.7.1.
Actual Results:  
An outdated version of app-admin/bitwarden-desktop-bin.

Expected Results:  
A secure up-to-date version of app-admin/bitwarden-desktop-bin.

Let me know if there's any additional information is necessary.
Comment 1 Eli Schwartz 2023-12-08 15:14:09 UTC
If it was already requested then why request it a second time?
Comment 2 nvaert1986 2023-12-08 16:11:41 UTC
This bug is related to security vulnerability, the other was just a regular bump request. Feel free to close, merge, or link one of them, I figured I'd report it separately as some matter of importance due to security bugs (though unlikely to be exploited it could be done)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-12-22 01:43:38 UTC
I presume the primary fixed vulnerabilities here are CVE-2023-4863 and CVE-2023-5129?
Comment 4 nvaert1986 2023-12-22 07:19:57 UTC
This is (In reply to John Helmert III from comment #3)
> I presume the primary fixed vulnerabilities here are CVE-2023-4863 and
> CVE-2023-5129?

This is correct
Comment 5 nvaert1986 2023-12-22 07:27:11 UTC
It was basically included in 2023.9.0 as they upgraded the Electron version to 24.8.3. Some say there is no direct impact, while others state it can have an impact through rendering an external icon as described here:

"It can through the icons feature. While I don’t have a webp image file to test the exploit, I have tested that the desktop electron client happily renders a webp image - if served by the icons server."
Comment 6 Larry the Git Cow gentoo-dev 2024-01-07 00:16:21 UTC
The bug has been referenced in the following commit(s):

commit 92a6e2bb1657b621864ef3fc3bd6fc2c97bd69cf
Author:     Christopher Fore <>
AuthorDate: 2023-12-10 20:39:47 +0000
Commit:     Yixun Lan <>
CommitDate: 2024-01-07 00:08:56 +0000

    app-admin/bitwarden-desktop-bin: add 2023.12.0
    Signed-off-by: Christopher Fore <>
    Signed-off-by: Yixun Lan <>

 app-admin/bitwarden-desktop-bin/Manifest           |  1 +
 .../bitwarden-desktop-bin-2023.12.0.ebuild         | 90 ++++++++++++++++++++++
 2 files changed, 91 insertions(+)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-02-10 05:51:52 UTC
~ is all-unstable and noglsa, but we need cleanup.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-03-17 03:56:16 UTC
Please don't forget to update the whiteboard when closing.