Thanks for reviewing Martin! I'll drop this patch until there is further clarification on the need for it.
Steve On Tue, Oct 31, 2023 at 1:39 PM Martin Jansa <martin.ja...@gmail.com> wrote: > > I'm surprised this one does apply in kirkstone as there is this security > issue already fixed as 2023-5129 (see dunfell commit > https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=7dce529515baa843ba3e5c89b2ad605b9845c59b > and a bit more details in > https://lists.openembedded.org/g/openembedded-core/message/189262 ) > > Is > https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520 > really related to CVE-2023-4863 ? > > On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman <st...@sakoman.com> wrote: >> >> From: Soumya Sambu <soumya.sa...@windriver.com> >> >> Heap buffer overflow in WebP in Google Chrome prior to >> 116.0.5845.187 allowed a remote attacker to perform an >> out of bounds memory write via a crafted HTML page. >> >> References: >> https://nvd.nist.gov/vuln/detail/CVE-2023-4863 >> https://security-tracker.debian.org/tracker/CVE-2023-4863 >> https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12 >> >> Signed-off-by: Soumya Sambu <soumya.sa...@windriver.com> >> Signed-off-by: Steve Sakoman <st...@sakoman.com> >> --- >> .../webp/files/CVE-2023-4863.patch | 53 +++++++++++++++++++ >> meta/recipes-multimedia/webp/libwebp_1.2.4.bb | 1 + >> 2 files changed, 54 insertions(+) >> create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch >> >> diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch >> b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch >> new file mode 100644 >> index 0000000000..2b1817822c >> --- /dev/null >> +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch >> @@ -0,0 +1,53 @@ >> +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001 >> +From: Vincent Rabaud <vrab...@google.com> >> +Date: Mon, 11 Sep 2023 16:06:08 +0200 >> +Subject: [PATCH] Fix invalid incremental decoding check. >> + >> +The first condition is only necessary if we have not read enough >> +(enough being defined by src_last, not src_end which is the end >> +of the image). >> +The second condition now fits the comment below: "if not >> +incremental, and we are past the end of buffer". >> + >> +BUG=oss-fuzz:62136 >> + >> +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f >> + >> +CVE: CVE-2023-4863 >> + >> +Upstream-Status: Backport >> [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520] >> + >> +Signed-off-by: Soumya Sambu <soumya.sa...@windriver.com> >> +--- >> + src/dec/vp8l_dec.c | 15 +++++++++++++-- >> + 1 file changed, 13 insertions(+), 2 deletions(-) >> + >> +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c >> +index 186b0b2..59a9e64 100644 >> +--- a/src/dec/vp8l_dec.c >> ++++ b/src/dec/vp8l_dec.c >> +@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, >> uint32_t* const data, >> + } >> + >> + br->eos_ = VP8LIsEndOfStream(br); >> +- if (dec->incremental_ && br->eos_ && src < src_end) { >> ++ // In incremental decoding: >> ++ // br->eos_ && src < src_last: if 'br' reached the end of the buffer and >> ++ // 'src_last' has not been reached yet, there is not enough data. 'dec' >> has to >> ++ // be reset until there is more data. >> ++ // !br->eos_ && src < src_last: this cannot happen as either the buffer >> is >> ++ // fully read, either enough has been read to reach 'src_last'. >> ++ // src >= src_last: 'src_last' is reached, all is fine. 'src' can >> actually go >> ++ // beyond 'src_last' in case the image is cropped and an LZ77 goes >> further. >> ++ // The buffer might have been enough or there is some left. 'br->eos_' >> does >> ++ // not matter. >> ++ assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= >> src_last); >> ++ if (dec->incremental_ && br->eos_ && src < src_last) { >> + RestoreState(dec); >> +- } else if (!br->eos_) { >> ++ } else if ((dec->incremental_ && src >= src_last) || !br->eos_) { >> + // Process the remaining rows corresponding to last row-block. >> + if (process_func != NULL) { >> + process_func(dec, row > last_row ? last_row : row); >> +-- >> +2.40.0 >> diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb >> b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb >> index 4defdd5e42..0728ca60f5 100644 >> --- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb >> +++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb >> @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = >> "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \ >> SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \ >> file://CVE-2023-1999.patch \ >> file://CVE-2023-5129.patch \ >> + file://CVE-2023-4863.patch \ >> " >> SRC_URI[sha256sum] = >> "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df" >> >> -- >> 2.34.1 >> >> >> >>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189914): https://lists.openembedded.org/g/openembedded-core/message/189914 Mute This Topic: https://lists.openembedded.org/mt/102307907/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
