919456 – <app-admin/bitwarden-desktop-bin-2023.12.0 WebP security vulnterability

Bug 919456 - <app-admin/bitwarden-desktop-bin-2023.12.0 WebP security vulnterability

Summary: <app-admin/bitwarden-desktop-bin-2023.12.0 WebP security vulnterability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal with 1 vote (vote)
Assignee:	Gentoo Security

URL:	https://github.com/bitwarden/clients/...
Whiteboard:	~1 [noglsa]
Keywords:	PullRequest

Depends on:	916688
Blocks:	CVE-2023-4863, CVE-2023-5129
	Show dependency tree

Reported:	2023-12-08 11:01 UTC by nvaert1986
Modified:	2024-03-17 03:56 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/bitwarden/clients/pull/6295 https://github.com/gentoo/gentoo/pull/34223
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description nvaert1986 2023-12-08 11:01:28 UTC

As already requested per: https://bugs.gentoo.org/916688. Please update the version of app-admin/bitwarden-desktop-bin to 2023.9.0 or higher due to the WebP security 

Reproducible: Always

Steps to Reproduce:
1.Run emerge -pv bitwarden-desktop-bin and notice that the latest version in portage is 2023.7.1.
Actual Results:  
An outdated version of app-admin/bitwarden-desktop-bin.

Expected Results:  
A secure up-to-date version of app-admin/bitwarden-desktop-bin.

Let me know if there's any additional information is necessary.

Comment 1 Eli Schwartz 2023-12-08 15:14:09 UTC

If it was already requested then why request it a second time?

Comment 2 nvaert1986 2023-12-08 16:11:41 UTC

This bug is related to security vulnerability, the other was just a regular bump request. Feel free to close, merge, or link one of them, I figured I'd report it separately as some matter of importance due to security bugs (though unlikely to be exploited it could be done)

Comment 3 John Helmert III archtester

2023-12-22 01:43:38 UTC

I presume the primary fixed vulnerabilities here are CVE-2023-4863 and CVE-2023-5129?

Comment 4 nvaert1986 2023-12-22 07:19:57 UTC

This is (In reply to John Helmert III from comment #3)
> I presume the primary fixed vulnerabilities here are CVE-2023-4863 and
> CVE-2023-5129?

This is correct

Comment 5 nvaert1986 2023-12-22 07:27:11 UTC

It was basically included in 2023.9.0 as they upgraded the Electron version to 24.8.3. Some say there is no direct impact, while others state it can have an impact through rendering an external icon as described here: https://community.bitwarden.com/t/cve-2023-4863-cve-2023-5129/58580/3

"It can through the icons feature. While I don’t have a webp image file to test the exploit, I have tested that the desktop electron client happily renders a webp image - if served by the icons server."

Comment 6 Larry the Git Cow gentoo-dev

2024-01-07 00:16:21 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=92a6e2bb1657b621864ef3fc3bd6fc2c97bd69cf

commit 92a6e2bb1657b621864ef3fc3bd6fc2c97bd69cf
Author:     Christopher Fore <csfore@posteo.net>
AuthorDate: 2023-12-10 20:39:47 +0000
Commit:     Yixun Lan <dlan@gentoo.org>
CommitDate: 2024-01-07 00:08:56 +0000

    app-admin/bitwarden-desktop-bin: add 2023.12.0
    
    Bug: https://bugs.gentoo.org/919456
    Closes: https://bugs.gentoo.org/916688
    Closes: https://github.com/gentoo/gentoo/pull/34223
    Signed-off-by: Christopher Fore <csfore@posteo.net>
    Signed-off-by: Yixun Lan <dlan@gentoo.org>

 app-admin/bitwarden-desktop-bin/Manifest           |  1 +
 .../bitwarden-desktop-bin-2023.12.0.ebuild         | 90 ++++++++++++++++++++++
 2 files changed, 91 insertions(+)

Comment 7 John Helmert III archtester

2024-02-10 05:51:52 UTC

~ is all-unstable and noglsa, but we need cleanup.

Comment 8 John Helmert III archtester

2024-03-17 03:56:16 UTC

Please don't forget to update the whiteboard when closing.