[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openembedded-core
Subject:    Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863
From:       "Martin Jansa" <martin.jansa () gmail ! com>
Date:       2023-10-31 23:39:42
Message-ID: CA+chaQeAGGEAYu8tnrsgyEN39+TNtYi6HJoGc4bfyDGjBiTpnQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


I'm surprised this one does apply in kirkstone as there is this security
issue already fixed as 2023-5129 (see dunfell commit
https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=7dce529515baa843ba3e5c89b2ad605b9845c59b
 and
a bit more details in
https://lists.openembedded.org/g/openembedded-core/message/189262 )

Is
https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520
 really related to CVE-2023-4863 ?

On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman <steve@sakoman.com> wrote:

> From: Soumya Sambu <soumya.sambu@windriver.com>
> 
> Heap buffer overflow in WebP in Google Chrome prior to
> 116.0.5845.187 allowed a remote attacker to perform an
> out of bounds memory write via a crafted HTML page.
> 
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-4863
> https://security-tracker.debian.org/tracker/CVE-2023-4863
> https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12
> 
> Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
> .../webp/files/CVE-2023-4863.patch            | 53 +++++++++++++++++++
> meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
> 2 files changed, 54 insertions(+)
> create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> 
> diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> new file mode 100644
> index 0000000000..2b1817822c
> --- /dev/null
> +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> @@ -0,0 +1,53 @@
> +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
> +From: Vincent Rabaud <vrabaud@google.com>
> +Date: Mon, 11 Sep 2023 16:06:08 +0200
> +Subject: [PATCH] Fix invalid incremental decoding check.
> +
> +The first condition is only necessary if we have not read enough
> +(enough being defined by src_last, not src_end which is the end
> +of the image).
> +The second condition now fits the comment below: "if not
> +incremental, and we are past the end of buffer".
> +
> +BUG=oss-fuzz:62136
> +
> +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
> +
> +CVE: CVE-2023-4863
> +
> +Upstream-Status: Backport [
> https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520
>  ]
> +
> +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
> +---
> + src/dec/vp8l_dec.c | 15 +++++++++++++--
> + 1 file changed, 13 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
> +index 186b0b2..59a9e64 100644
> +--- a/src/dec/vp8l_dec.c
> ++++ b/src/dec/vp8l_dec.c
> +@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec,
> uint32_t* const data,
> +   }
> +
> +   br->eos_ = VP8LIsEndOfStream(br);
> +-  if (dec->incremental_ && br->eos_ && src < src_end) {
> ++  // In incremental decoding:
> ++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer
> and
> ++  // 'src_last' has not been reached yet, there is not enough data.
> 'dec' has to
> ++  // be reset until there is more data.
> ++  // !br->eos_ && src < src_last: this cannot happen as either the
> buffer is
> ++  // fully read, either enough has been read to reach 'src_last'.
> ++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can
> actually go
> ++  // beyond 'src_last' in case the image is cropped and an LZ77 goes
> further.
> ++  // The buffer might have been enough or there is some left. 'br->eos_'
> does
> ++  // not matter.
> ++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >=
> src_last);
> ++  if (dec->incremental_ && br->eos_ && src < src_last) {
> +     RestoreState(dec);
> +-  } else if (!br->eos_) {
> ++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
> +     // Process the remaining rows corresponding to last row-block.
> +     if (process_func != NULL) {
> +       process_func(dec, row > last_row ? last_row : row);
> +--
> +2.40.0
> diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> index 4defdd5e42..0728ca60f5 100644
> --- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> +++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM =
> "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
> SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
> file://CVE-2023-1999.patch \
> file://CVE-2023-5129.patch \
> +           file://CVE-2023-4863.patch \
> "
> SRC_URI[sha256sum] =
> "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
> 
> --
> 2.34.1
> 
> 
> 
> 
> 


[Attachment #5 (text/html)]

<div dir="ltr">I&#39;m surprised this one does apply in kirkstone as there is this \
security issue already fixed as 2023-5129 (see dunfell commit  <a \
href="https://git.openembedded.org/openembedded-core/commit/?h=dunfell&amp;id=7dce529515baa843ba3e5c89b2ad605b9845c59b" \
target="_blank">https://git.openembedded.org/openembedded-core/commit/?h=dunfell&amp;id=7dce529515baa843ba3e5c89b2ad605b9845c59b</a> \
and a bit more details in  <a \
href="https://lists.openembedded.org/g/openembedded-core/message/189262">https://lists.openembedded.org/g/openembedded-core/message/189262</a> \
)<div><br></div><div>Is  <a \
href="https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b0060 \
37c520">https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520</a> \
really related to CVE-2023-4863 ?</div></div><br><div class="gmail_quote"><div \
dir="ltr" class="gmail_attr">On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman &lt;<a \
href="mailto:steve@sakoman.com" target="_blank">steve@sakoman.com</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">From: Soumya Sambu \
&lt;<a href="mailto:soumya.sambu@windriver.com" \
target="_blank">soumya.sambu@windriver.com</a>&gt;<br> <br>
Heap buffer overflow in WebP in Google Chrome prior to<br>
116.0.5845.187 allowed a remote attacker to perform an<br>
out of bounds memory write via a crafted HTML page.<br>
<br>
References:<br>
<a href="https://nvd.nist.gov/vuln/detail/CVE-2023-4863" rel="noreferrer" \
target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2023-4863</a><br> <a \
href="https://security-tracker.debian.org/tracker/CVE-2023-4863" rel="noreferrer" \
target="_blank">https://security-tracker.debian.org/tracker/CVE-2023-4863</a><br> <a \
href="https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12" rel="noreferrer" \
target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12</a><br> <br>
Signed-off-by: Soumya Sambu &lt;<a href="mailto:soumya.sambu@windriver.com" \
                target="_blank">soumya.sambu@windriver.com</a>&gt;<br>
Signed-off-by: Steve Sakoman &lt;<a href="mailto:steve@sakoman.com" \
                target="_blank">steve@sakoman.com</a>&gt;<br>
---<br>
  .../webp/files/CVE-2023-4863.patch                  | 53 +++++++++++++++++++<br>
  meta/recipes-multimedia/webp/<a href="http://libwebp_1.2.4.bb" rel="noreferrer" \
target="_blank">libwebp_1.2.4.bb</a> |   1 +<br>  2 files changed, 54 \
insertions(+)<br>  create mode 100644 \
meta/recipes-multimedia/webp/files/CVE-2023-4863.patch<br> <br>
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch \
b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch<br> new file mode 100644<br>
index 0000000000..2b1817822c<br>
--- /dev/null<br>
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch<br>
@@ -0,0 +1,53 @@<br>
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001<br>
+From: Vincent Rabaud &lt;<a href="mailto:vrabaud@google.com" \
target="_blank">vrabaud@google.com</a>&gt;<br> +Date: Mon, 11 Sep 2023 16:06:08 \
+0200<br> +Subject: [PATCH] Fix invalid incremental decoding check.<br>
+<br>
+The first condition is only necessary if we have not read enough<br>
+(enough being defined by src_last, not src_end which is the end<br>
+of the image).<br>
+The second condition now fits the comment below: &quot;if not<br>
+incremental, and we are past the end of buffer&quot;.<br>
+<br>
+BUG=oss-fuzz:62136<br>
+<br>
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f<br>
+<br>
+CVE: CVE-2023-4863<br>
+<br>
+Upstream-Status: Backport [<a \
href="https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520" \
rel="noreferrer" target="_blank">https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520</a>]<br>
 +<br>
+Signed-off-by: Soumya Sambu &lt;<a href="mailto:soumya.sambu@windriver.com" \
target="_blank">soumya.sambu@windriver.com</a>&gt;<br> +---<br>
+ src/dec/vp8l_dec.c | 15 +++++++++++++--<br>
+ 1 file changed, 13 insertions(+), 2 deletions(-)<br>
+<br>
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c<br>
+index 186b0b2..59a9e64 100644<br>
+--- a/src/dec/vp8l_dec.c<br>
++++ b/src/dec/vp8l_dec.c<br>
+@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* \
const data,<br> +     }<br>
+<br>
+     br-&gt;eos_ = VP8LIsEndOfStream(br);<br>
+-   if (dec-&gt;incremental_ &amp;&amp; br-&gt;eos_ &amp;&amp; src &lt; src_end) \
{<br> ++   // In incremental decoding:<br>
++   // br-&gt;eos_ &amp;&amp; src &lt; src_last: if &#39;br&#39; reached the end of \
the buffer and<br> ++   // &#39;src_last&#39; has not been reached yet, there is not \
enough data. &#39;dec&#39; has to<br> ++   // be reset until there is more data.<br>
++   // !br-&gt;eos_ &amp;&amp; src &lt; src_last: this cannot happen as either the \
buffer is<br> ++   // fully read, either enough has been read to reach \
&#39;src_last&#39;.<br> ++   // src &gt;= src_last: &#39;src_last&#39; is reached, \
all is fine. &#39;src&#39; can actually go<br> ++   // beyond &#39;src_last&#39; in \
case the image is cropped and an LZ77 goes further.<br> ++   // The buffer might have \
been enough or there is some left. &#39;br-&gt;eos_&#39; does<br> ++   // not \
matter.<br> ++   assert(!dec-&gt;incremental_ || (br-&gt;eos_ &amp;&amp; src &lt; \
src_last) || src &gt;= src_last);<br> ++   if (dec-&gt;incremental_ &amp;&amp; \
br-&gt;eos_ &amp;&amp; src &lt; src_last) {<br> +        RestoreState(dec);<br>
+-   } else if (!br-&gt;eos_) {<br>
++   } else if ((dec-&gt;incremental_ &amp;&amp; src &gt;= src_last) || !br-&gt;eos_) \
{<br> +        // Process the remaining rows corresponding to last row-block.<br>
+        if (process_func != NULL) {<br>
+           process_func(dec, row &gt; last_row ? last_row : row);<br>
+--<br>
+2.40.0<br>
diff --git a/meta/recipes-multimedia/webp/<a href="http://libwebp_1.2.4.bb" \
rel="noreferrer" target="_blank">libwebp_1.2.4.bb</a> \
b/meta/recipes-multimedia/webp/<a href="http://libwebp_1.2.4.bb" rel="noreferrer" \
target="_blank">libwebp_1.2.4.bb</a><br> index 4defdd5e42..0728ca60f5 100644<br>
--- a/meta/recipes-multimedia/webp/<a href="http://libwebp_1.2.4.bb" rel="noreferrer" \
                target="_blank">libwebp_1.2.4.bb</a><br>
+++ b/meta/recipes-multimedia/webp/<a href="http://libwebp_1.2.4.bb" rel="noreferrer" \
target="_blank">libwebp_1.2.4.bb</a><br> @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = \
&quot;file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \<br>  SRC_URI = &quot;<a \
href="http://downloads.webmproject.org/releases/webp/$%7BBP%7D.tar.gz" \
rel="noreferrer" target="_blank">http://downloads.webmproject.org/releases/webp/${BP}.tar.gz</a> \
\<br>  file://CVE-2023-1999.patch \<br>
                  file://CVE-2023-5129.patch \<br>
+                 file://CVE-2023-4863.patch \<br>
                  &quot;<br>
  SRC_URI[sha256sum] = \
&quot;7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df&quot;<br> <br>
-- <br>
2.34.1<br>
<br>
<br>
<br>
<br>
</blockquote></div>



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189889): https://lists.openembedded.org/g/openembedded-core/message/189889
Mute This Topic: https://lists.openembedded.org/mt/102307907/4454766
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [openembedded-core@marc.info]
-=-=-=-=-=-=-=-=-=-=-=-



[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic