[prev in list] [next in list] [prev in thread] [next in thread]
List: openembedded-core
Subject: Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863
From: "Martin Jansa" <martin.jansa () gmail ! com>
Date: 2023-10-31 23:39:42
Message-ID: CA+chaQeAGGEAYu8tnrsgyEN39+TNtYi6HJoGc4bfyDGjBiTpnQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I'm surprised this one does apply in kirkstone as there is this security
issue already fixed as 2023-5129 (see dunfell commit
https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=7dce529515baa843ba3e5c89b2ad605b9845c59b
and
a bit more details in
https://lists.openembedded.org/g/openembedded-core/message/189262 )
Is
https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520
really related to CVE-2023-4863 ?
On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman <steve@sakoman.com> wrote:
> From: Soumya Sambu <soumya.sambu@windriver.com>
>
> Heap buffer overflow in WebP in Google Chrome prior to
> 116.0.5845.187 allowed a remote attacker to perform an
> out of bounds memory write via a crafted HTML page.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-4863
> https://security-tracker.debian.org/tracker/CVE-2023-4863
> https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12
>
> Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
> .../webp/files/CVE-2023-4863.patch | 53 +++++++++++++++++++
> meta/recipes-multimedia/webp/libwebp_1.2.4.bb | 1 +
> 2 files changed, 54 insertions(+)
> create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
>
> diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> new file mode 100644
> index 0000000000..2b1817822c
> --- /dev/null
> +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> @@ -0,0 +1,53 @@
> +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
> +From: Vincent Rabaud <vrabaud@google.com>
> +Date: Mon, 11 Sep 2023 16:06:08 +0200
> +Subject: [PATCH] Fix invalid incremental decoding check.
> +
> +The first condition is only necessary if we have not read enough
> +(enough being defined by src_last, not src_end which is the end
> +of the image).
> +The second condition now fits the comment below: "if not
> +incremental, and we are past the end of buffer".
> +
> +BUG=oss-fuzz:62136
> +
> +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
> +
> +CVE: CVE-2023-4863
> +
> +Upstream-Status: Backport [
> https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520
> ]
> +
> +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
> +---
> + src/dec/vp8l_dec.c | 15 +++++++++++++--
> + 1 file changed, 13 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
> +index 186b0b2..59a9e64 100644
> +--- a/src/dec/vp8l_dec.c
> ++++ b/src/dec/vp8l_dec.c
> +@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec,
> uint32_t* const data,
> + }
> +
> + br->eos_ = VP8LIsEndOfStream(br);
> +- if (dec->incremental_ && br->eos_ && src < src_end) {
> ++ // In incremental decoding:
> ++ // br->eos_ && src < src_last: if 'br' reached the end of the buffer
> and
> ++ // 'src_last' has not been reached yet, there is not enough data.
> 'dec' has to
> ++ // be reset until there is more data.
> ++ // !br->eos_ && src < src_last: this cannot happen as either the
> buffer is
> ++ // fully read, either enough has been read to reach 'src_last'.
> ++ // src >= src_last: 'src_last' is reached, all is fine. 'src' can
> actually go
> ++ // beyond 'src_last' in case the image is cropped and an LZ77 goes
> further.
> ++ // The buffer might have been enough or there is some left. 'br->eos_'
> does
> ++ // not matter.
> ++ assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >=
> src_last);
> ++ if (dec->incremental_ && br->eos_ && src < src_last) {
> + RestoreState(dec);
> +- } else if (!br->eos_) {
> ++ } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
> + // Process the remaining rows corresponding to last row-block.
> + if (process_func != NULL) {
> + process_func(dec, row > last_row ? last_row : row);
> +--
> +2.40.0
> diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> index 4defdd5e42..0728ca60f5 100644
> --- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> +++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM =
> "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
> SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
> file://CVE-2023-1999.patch \
> file://CVE-2023-5129.patch \
> + file://CVE-2023-4863.patch \
> "
> SRC_URI[sha256sum] =
> "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
>
> --
> 2.34.1
>
>
>
>
>
[Attachment #5 (text/html)]
<div dir="ltr">I'm surprised this one does apply in kirkstone as there is this \
security issue already fixed as 2023-5129 (see dunfell commit <a \
href="https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=7dce529515baa843ba3e5c89b2ad605b9845c59b" \
target="_blank">https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=7dce529515baa843ba3e5c89b2ad605b9845c59b</a> \
and a bit more details in <a \
href="https://lists.openembedded.org/g/openembedded-core/message/189262">https://lists.openembedded.org/g/openembedded-core/message/189262</a> \
)<div><br></div><div>Is <a \
href="https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b0060 \
37c520">https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520</a> \
really related to CVE-2023-4863 ?</div></div><br><div class="gmail_quote"><div \
dir="ltr" class="gmail_attr">On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman <<a \
href="mailto:steve@sakoman.com" target="_blank">steve@sakoman.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">From: Soumya Sambu \
<<a href="mailto:soumya.sambu@windriver.com" \
target="_blank">soumya.sambu@windriver.com</a>><br> <br>
Heap buffer overflow in WebP in Google Chrome prior to<br>
116.0.5845.187 allowed a remote attacker to perform an<br>
out of bounds memory write via a crafted HTML page.<br>
<br>
References:<br>
<a href="https://nvd.nist.gov/vuln/detail/CVE-2023-4863" rel="noreferrer" \
target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2023-4863</a><br> <a \
href="https://security-tracker.debian.org/tracker/CVE-2023-4863" rel="noreferrer" \
target="_blank">https://security-tracker.debian.org/tracker/CVE-2023-4863</a><br> <a \
href="https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12" rel="noreferrer" \
target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12</a><br> <br>
Signed-off-by: Soumya Sambu <<a href="mailto:soumya.sambu@windriver.com" \
target="_blank">soumya.sambu@windriver.com</a>><br>
Signed-off-by: Steve Sakoman <<a href="mailto:steve@sakoman.com" \
target="_blank">steve@sakoman.com</a>><br>
---<br>
.../webp/files/CVE-2023-4863.patch | 53 +++++++++++++++++++<br>
meta/recipes-multimedia/webp/<a href="http://libwebp_1.2.4.bb" rel="noreferrer" \
target="_blank">libwebp_1.2.4.bb</a> | 1 +<br> 2 files changed, 54 \
insertions(+)<br> create mode 100644 \
meta/recipes-multimedia/webp/files/CVE-2023-4863.patch<br> <br>
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch \
b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch<br> new file mode 100644<br>
index 0000000000..2b1817822c<br>
--- /dev/null<br>
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch<br>
@@ -0,0 +1,53 @@<br>
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001<br>
+From: Vincent Rabaud <<a href="mailto:vrabaud@google.com" \
target="_blank">vrabaud@google.com</a>><br> +Date: Mon, 11 Sep 2023 16:06:08 \
+0200<br> +Subject: [PATCH] Fix invalid incremental decoding check.<br>
+<br>
+The first condition is only necessary if we have not read enough<br>
+(enough being defined by src_last, not src_end which is the end<br>
+of the image).<br>
+The second condition now fits the comment below: "if not<br>
+incremental, and we are past the end of buffer".<br>
+<br>
+BUG=oss-fuzz:62136<br>
+<br>
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f<br>
+<br>
+CVE: CVE-2023-4863<br>
+<br>
+Upstream-Status: Backport [<a \
href="https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520" \
rel="noreferrer" target="_blank">https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520</a>]<br>
+<br>
+Signed-off-by: Soumya Sambu <<a href="mailto:soumya.sambu@windriver.com" \
target="_blank">soumya.sambu@windriver.com</a>><br> +---<br>
+ src/dec/vp8l_dec.c | 15 +++++++++++++--<br>
+ 1 file changed, 13 insertions(+), 2 deletions(-)<br>
+<br>
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c<br>
+index 186b0b2..59a9e64 100644<br>
+--- a/src/dec/vp8l_dec.c<br>
++++ b/src/dec/vp8l_dec.c<br>
+@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* \
const data,<br> + }<br>
+<br>
+ br->eos_ = VP8LIsEndOfStream(br);<br>
+- if (dec->incremental_ && br->eos_ && src < src_end) \
{<br> ++ // In incremental decoding:<br>
++ // br->eos_ && src < src_last: if 'br' reached the end of \
the buffer and<br> ++ // 'src_last' has not been reached yet, there is not \
enough data. 'dec' has to<br> ++ // be reset until there is more data.<br>
++ // !br->eos_ && src < src_last: this cannot happen as either the \
buffer is<br> ++ // fully read, either enough has been read to reach \
'src_last'.<br> ++ // src >= src_last: 'src_last' is reached, \
all is fine. 'src' can actually go<br> ++ // beyond 'src_last' in \
case the image is cropped and an LZ77 goes further.<br> ++ // The buffer might have \
been enough or there is some left. 'br->eos_' does<br> ++ // not \
matter.<br> ++ assert(!dec->incremental_ || (br->eos_ && src < \
src_last) || src >= src_last);<br> ++ if (dec->incremental_ && \
br->eos_ && src < src_last) {<br> + RestoreState(dec);<br>
+- } else if (!br->eos_) {<br>
++ } else if ((dec->incremental_ && src >= src_last) || !br->eos_) \
{<br> + // Process the remaining rows corresponding to last row-block.<br>
+ if (process_func != NULL) {<br>
+ process_func(dec, row > last_row ? last_row : row);<br>
+--<br>
+2.40.0<br>
diff --git a/meta/recipes-multimedia/webp/<a href="http://libwebp_1.2.4.bb" \
rel="noreferrer" target="_blank">libwebp_1.2.4.bb</a> \
b/meta/recipes-multimedia/webp/<a href="http://libwebp_1.2.4.bb" rel="noreferrer" \
target="_blank">libwebp_1.2.4.bb</a><br> index 4defdd5e42..0728ca60f5 100644<br>
--- a/meta/recipes-multimedia/webp/<a href="http://libwebp_1.2.4.bb" rel="noreferrer" \
target="_blank">libwebp_1.2.4.bb</a><br>
+++ b/meta/recipes-multimedia/webp/<a href="http://libwebp_1.2.4.bb" rel="noreferrer" \
target="_blank">libwebp_1.2.4.bb</a><br> @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = \
"file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \<br> SRC_URI = "<a \
href="http://downloads.webmproject.org/releases/webp/$%7BBP%7D.tar.gz" \
rel="noreferrer" target="_blank">http://downloads.webmproject.org/releases/webp/${BP}.tar.gz</a> \
\<br> file://CVE-2023-1999.patch \<br>
file://CVE-2023-5129.patch \<br>
+ file://CVE-2023-4863.patch \<br>
"<br>
SRC_URI[sha256sum] = \
"7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"<br> <br>
-- <br>
2.34.1<br>
<br>
<br>
<br>
<br>
</blockquote></div>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189889): https://lists.openembedded.org/g/openembedded-core/message/189889
Mute This Topic: https://lists.openembedded.org/mt/102307907/4454766
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [openembedded-core@marc.info]
-=-=-=-=-=-=-=-=-=-=-=-
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic