Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863
Sure Martin. Regards, Soumya From: Martin Jansa Sent: Thursday, November 2, 2023 12:35 PM To: Sambu, Soumya Cc: st...@sakoman.com ; openembedded-core@lists.openembedded.org Subject: Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863 CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. On Thu, Nov 2, 2023 at 7:57 AM Sambu, Soumya mailto:soumya.sa...@windriver.com>> wrote: Hi Martin, Steve, Debian has mentioned https://chromium.googlesource.com/webm/libwebp.git/+/95ea5226c870449522240ccff26f0b006037c520%5E%21/#F0<https://urldefense.com/v3/__https://chromium.googlesource.com/webm/libwebp.git/*/95ea5226c870449522240ccff26f0b006037c520*5E*21/*F0__;KyUlIw!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZES2_uY8Fc$> as followup commit for CVE-2023-4863 [Reference: https://security-tracker.debian.org/tracker/CVE-2023-4863<https://urldefense.com/v3/__https://security-tracker.debian.org/tracker/CVE-2023-4863__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESjF4z9k0$>]. This commit was suggested in Bugzilla SUSE as well - https://bugzilla.suse.com/show_bug.cgi?id=1215231#c13<https://urldefense.com/v3/__https://bugzilla.suse.com/show_bug.cgi?id=1215231*c13__;Iw!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESlK1lfDg$> Aha, thanks for this information, can you please make sure that all supported branches receive this additional commit (preferably in less confusing set of .patch files, e.g. apply both from CVE-2023-4863.patch and remove CVE-2023-5129.patch)? Regards, Soumya From: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> mailto:openembedded-core@lists.openembedded.org>> on behalf of Steve Sakoman via lists.openembedded.org<https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESh49m9Ao$> mailto:sakoman@lists.openembedded.org>> Sent: Wednesday, November 1, 2023 7:21 PM To: Martin Jansa mailto:martin.ja...@gmail.com>> Cc: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> mailto:openembedded-core@lists.openembedded.org>> Subject: Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863 CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. Thanks for reviewing Martin! I'll drop this patch until there is further clarification on the need for it. Steve On Tue, Oct 31, 2023 at 1:39 PM Martin Jansa mailto:martin.ja...@gmail.com>> wrote: > > I'm surprised this one does apply in kirkstone as there is this security > issue already fixed as 2023-5129 (see dunfell commit > https://git.openembedded.org/openembedded-core/commit/?h=dunfell=7dce529515baa843ba3e5c89b2ad605b9845c59b<https://urldefense.com/v3/__https://git.openembedded.org/openembedded-core/commit/?h=dunfell=7dce529515baa843ba3e5c89b2ad605b9845c59b__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZEScr20Fek$> > and a bit more details in > https://lists.openembedded.org/g/openembedded-core/message/189262<https://urldefense.com/v3/__https://lists.openembedded.org/g/openembedded-core/message/189262__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESjPybAj8$> > ) > > Is > https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520<https://urldefense.com/v3/__https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESSSDnB1o$> > really related to CVE-2023-4863 ? > > On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman > mailto:st...@sakoman.com>> wrote: >> >> From: Soumya Sambu >> mailto:soumya.sa...@windriver.com>> >> >> Heap buffer overflow in WebP in Google Chrome prior to >> 116.0.5845.187 allowed a remote attacker to perform an >> out of bounds memory write via a crafted HTML page. >> >> References: >> https://nvd.nist.gov/vuln/detail/CVE-2023-4863<https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2023-4863__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESN3Jhg9I$> >> https://security-tracker.debian.org/tracker/CVE-2023-4863<https://urldefense.com/v3/__https://security-tracker.debian.o
Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863
On Thu, Nov 2, 2023 at 7:57 AM Sambu, Soumya wrote: > Hi Martin, Steve, > > Debian has mentioned > https://chromium.googlesource.com/webm/libwebp.git/+/95ea5226c870449522240ccff26f0b006037c520%5E%21/#F0 > as > followup commit for CVE-2023-4863 [Reference: > https://security-tracker.debian.org/tracker/CVE-2023-4863]. > > This commit was suggested in Bugzilla SUSE as well - > https://bugzilla.suse.com/show_bug.cgi?id=1215231#c13 > Aha, thanks for this information, can you please make sure that all supported branches receive this additional commit (preferably in less confusing set of .patch files, e.g. apply both from CVE-2023-4863.patch and remove CVE-2023-5129.patch)? > > Regards, > Soumya > -- > *From:* openembedded-core@lists.openembedded.org < > openembedded-core@lists.openembedded.org> on behalf of Steve Sakoman via > lists.openembedded.org > *Sent:* Wednesday, November 1, 2023 7:21 PM > *To:* Martin Jansa > *Cc:* openembedded-core@lists.openembedded.org < > openembedded-core@lists.openembedded.org> > *Subject:* Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863 > > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender and > know the content is safe. > > Thanks for reviewing Martin! > > I'll drop this patch until there is further clarification on the need for > it. > > Steve > > On Tue, Oct 31, 2023 at 1:39 PM Martin Jansa > wrote: > > > > I'm surprised this one does apply in kirkstone as there is this security > issue already fixed as 2023-5129 (see dunfell commit > https://git.openembedded.org/openembedded-core/commit/?h=dunfell=7dce529515baa843ba3e5c89b2ad605b9845c59b > and a bit more details in > https://lists.openembedded.org/g/openembedded-core/message/189262 ) > > > > Is > https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520 > really related to CVE-2023-4863 ? > > > > On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman > wrote: > >> > >> From: Soumya Sambu > >> > >> Heap buffer overflow in WebP in Google Chrome prior to > >> 116.0.5845.187 allowed a remote attacker to perform an > >> out of bounds memory write via a crafted HTML page. > >> > >> References: > >> https://nvd.nist.gov/vuln/detail/CVE-2023-4863 > >> https://security-tracker.debian.org/tracker/CVE-2023-4863 > >> https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12 > >> > >> Signed-off-by: Soumya Sambu > >> Signed-off-by: Steve Sakoman > >> --- > >> .../webp/files/CVE-2023-4863.patch| 53 +++ > >> meta/recipes-multimedia/webp/libwebp_1.2.4.bb | 1 + > >> 2 files changed, 54 insertions(+) > >> create mode 100644 > meta/recipes-multimedia/webp/files/CVE-2023-4863.patch > >> > >> diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch > b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch > >> new file mode 100644 > >> index 00..2b1817822c > >> --- /dev/null > >> +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch > >> @@ -0,0 +1,53 @@ > >> +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001 > >> +From: Vincent Rabaud > >> +Date: Mon, 11 Sep 2023 16:06:08 +0200 > >> +Subject: [PATCH] Fix invalid incremental decoding check. > >> + > >> +The first condition is only necessary if we have not read enough > >> +(enough being defined by src_last, not src_end which is the end > >> +of the image). > >> +The second condition now fits the comment below: "if not > >> +incremental, and we are past the end of buffer". > >> + > >> +BUG=oss-fuzz:62136 > >> + > >> +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f > >> + > >> +CVE: CVE-2023-4863 > >> + > >> +Upstream-Status: Backport [ > https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520 > ] > >> + > >> +Signed-off-by: Soumya Sambu > >> +--- > >> + src/dec/vp8l_dec.c | 15 +-- > >> + 1 file changed, 13 insertions(+), 2 deletions(-) > >> + > >> +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c > >> +index 186b0b2..59a9e64 100644 > >> +--- a/src/dec/vp8l_dec.c > >> b/src/dec/vp8l_dec.c > >> +@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const > dec, uint32_t* const data, > >> +
Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863
Hi Martin, Steve, Debian has mentioned https://chromium.googlesource.com/webm/libwebp.git/+/95ea5226c870449522240ccff26f0b006037c520%5E%21/#F0 as followup commit for CVE-2023-4863 [Reference: https://security-tracker.debian.org/tracker/CVE-2023-4863]. This commit was suggested in Bugzilla SUSE as well - https://bugzilla.suse.com/show_bug.cgi?id=1215231#c13 Regards, Soumya From: openembedded-core@lists.openembedded.org on behalf of Steve Sakoman via lists.openembedded.org Sent: Wednesday, November 1, 2023 7:21 PM To: Martin Jansa Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863 CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. Thanks for reviewing Martin! I'll drop this patch until there is further clarification on the need for it. Steve On Tue, Oct 31, 2023 at 1:39 PM Martin Jansa wrote: > > I'm surprised this one does apply in kirkstone as there is this security > issue already fixed as 2023-5129 (see dunfell commit > https://git.openembedded.org/openembedded-core/commit/?h=dunfell=7dce529515baa843ba3e5c89b2ad605b9845c59b > and a bit more details in > https://lists.openembedded.org/g/openembedded-core/message/189262 ) > > Is > https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520 > really related to CVE-2023-4863 ? > > On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman wrote: >> >> From: Soumya Sambu >> >> Heap buffer overflow in WebP in Google Chrome prior to >> 116.0.5845.187 allowed a remote attacker to perform an >> out of bounds memory write via a crafted HTML page. >> >> References: >> https://nvd.nist.gov/vuln/detail/CVE-2023-4863 >> https://security-tracker.debian.org/tracker/CVE-2023-4863 >> https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12 >> >> Signed-off-by: Soumya Sambu >> Signed-off-by: Steve Sakoman >> --- >> .../webp/files/CVE-2023-4863.patch| 53 +++ >> meta/recipes-multimedia/webp/libwebp_1.2.4.bb | 1 + >> 2 files changed, 54 insertions(+) >> create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch >> >> diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch >> b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch >> new file mode 100644 >> index 00..2b1817822c >> --- /dev/null >> +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch >> @@ -0,0 +1,53 @@ >> +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001 >> +From: Vincent Rabaud >> +Date: Mon, 11 Sep 2023 16:06:08 +0200 >> +Subject: [PATCH] Fix invalid incremental decoding check. >> + >> +The first condition is only necessary if we have not read enough >> +(enough being defined by src_last, not src_end which is the end >> +of the image). >> +The second condition now fits the comment below: "if not >> +incremental, and we are past the end of buffer". >> + >> +BUG=oss-fuzz:62136 >> + >> +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f >> + >> +CVE: CVE-2023-4863 >> + >> +Upstream-Status: Backport >> [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520] >> + >> +Signed-off-by: Soumya Sambu >> +--- >> + src/dec/vp8l_dec.c | 15 +-- >> + 1 file changed, 13 insertions(+), 2 deletions(-) >> + >> +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c >> +index 186b0b2..59a9e64 100644 >> +--- a/src/dec/vp8l_dec.c >> b/src/dec/vp8l_dec.c >> +@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, >> uint32_t* const data, >> + } >> + >> + br->eos_ = VP8LIsEndOfStream(br); >> +- if (dec->incremental_ && br->eos_ && src < src_end) { >> ++ // In incremental decoding: >> ++ // br->eos_ && src < src_last: if 'br' reached the end of the buffer and >> ++ // 'src_last' has not been reached yet, there is not enough data. 'dec' >> has to >> ++ // be reset until there is more data. >> ++ // !br->eos_ && src < src_last: this cannot happen as either the buffer >> is >> ++ // fully read, either enough has been read to reach 'src_last'. >> ++ // src >= src_last: 'src_last' is reached, all is fine. 'src' can >> actually go >> ++ // beyond 'src_last' in case the image is cropped and an LZ77 goes >> further. >> ++ // The buffer might have been enough or t
Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863
Thanks for reviewing Martin! I'll drop this patch until there is further clarification on the need for it. Steve On Tue, Oct 31, 2023 at 1:39 PM Martin Jansa wrote: > > I'm surprised this one does apply in kirkstone as there is this security > issue already fixed as 2023-5129 (see dunfell commit > https://git.openembedded.org/openembedded-core/commit/?h=dunfell=7dce529515baa843ba3e5c89b2ad605b9845c59b > and a bit more details in > https://lists.openembedded.org/g/openembedded-core/message/189262 ) > > Is > https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520 > really related to CVE-2023-4863 ? > > On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman wrote: >> >> From: Soumya Sambu >> >> Heap buffer overflow in WebP in Google Chrome prior to >> 116.0.5845.187 allowed a remote attacker to perform an >> out of bounds memory write via a crafted HTML page. >> >> References: >> https://nvd.nist.gov/vuln/detail/CVE-2023-4863 >> https://security-tracker.debian.org/tracker/CVE-2023-4863 >> https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12 >> >> Signed-off-by: Soumya Sambu >> Signed-off-by: Steve Sakoman >> --- >> .../webp/files/CVE-2023-4863.patch| 53 +++ >> meta/recipes-multimedia/webp/libwebp_1.2.4.bb | 1 + >> 2 files changed, 54 insertions(+) >> create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch >> >> diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch >> b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch >> new file mode 100644 >> index 00..2b1817822c >> --- /dev/null >> +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch >> @@ -0,0 +1,53 @@ >> +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001 >> +From: Vincent Rabaud >> +Date: Mon, 11 Sep 2023 16:06:08 +0200 >> +Subject: [PATCH] Fix invalid incremental decoding check. >> + >> +The first condition is only necessary if we have not read enough >> +(enough being defined by src_last, not src_end which is the end >> +of the image). >> +The second condition now fits the comment below: "if not >> +incremental, and we are past the end of buffer". >> + >> +BUG=oss-fuzz:62136 >> + >> +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f >> + >> +CVE: CVE-2023-4863 >> + >> +Upstream-Status: Backport >> [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520] >> + >> +Signed-off-by: Soumya Sambu >> +--- >> + src/dec/vp8l_dec.c | 15 +-- >> + 1 file changed, 13 insertions(+), 2 deletions(-) >> + >> +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c >> +index 186b0b2..59a9e64 100644 >> +--- a/src/dec/vp8l_dec.c >> b/src/dec/vp8l_dec.c >> +@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, >> uint32_t* const data, >> + } >> + >> + br->eos_ = VP8LIsEndOfStream(br); >> +- if (dec->incremental_ && br->eos_ && src < src_end) { >> ++ // In incremental decoding: >> ++ // br->eos_ && src < src_last: if 'br' reached the end of the buffer and >> ++ // 'src_last' has not been reached yet, there is not enough data. 'dec' >> has to >> ++ // be reset until there is more data. >> ++ // !br->eos_ && src < src_last: this cannot happen as either the buffer >> is >> ++ // fully read, either enough has been read to reach 'src_last'. >> ++ // src >= src_last: 'src_last' is reached, all is fine. 'src' can >> actually go >> ++ // beyond 'src_last' in case the image is cropped and an LZ77 goes >> further. >> ++ // The buffer might have been enough or there is some left. 'br->eos_' >> does >> ++ // not matter. >> ++ assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= >> src_last); >> ++ if (dec->incremental_ && br->eos_ && src < src_last) { >> + RestoreState(dec); >> +- } else if (!br->eos_) { >> ++ } else if ((dec->incremental_ && src >= src_last) || !br->eos_) { >> + // Process the remaining rows corresponding to last row-block. >> + if (process_func != NULL) { >> + process_func(dec, row > last_row ? last_row : row); >> +-- >> +2.40.0 >> diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb >> b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb >> index 4defdd5e42..0728ca60f5 100644 >> --- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb >> +++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb >> @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = >> "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \ >> SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \ >> file://CVE-2023-1999.patch \ >> file://CVE-2023-5129.patch \ >> + file://CVE-2023-4863.patch \ >> " >> SRC_URI[sha256sum] = >> "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df" >> >> -- >> 2.34.1 >> >> >> >> -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189914):
Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863
I'm surprised this one does apply in kirkstone as there is this security issue already fixed as 2023-5129 (see dunfell commit https://git.openembedded.org/openembedded-core/commit/?h=dunfell=7dce529515baa843ba3e5c89b2ad605b9845c59b and a bit more details in https://lists.openembedded.org/g/openembedded-core/message/189262 ) Is https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520 really related to CVE-2023-4863 ? On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman wrote: > From: Soumya Sambu > > Heap buffer overflow in WebP in Google Chrome prior to > 116.0.5845.187 allowed a remote attacker to perform an > out of bounds memory write via a crafted HTML page. > > References: > https://nvd.nist.gov/vuln/detail/CVE-2023-4863 > https://security-tracker.debian.org/tracker/CVE-2023-4863 > https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12 > > Signed-off-by: Soumya Sambu > Signed-off-by: Steve Sakoman > --- > .../webp/files/CVE-2023-4863.patch| 53 +++ > meta/recipes-multimedia/webp/libwebp_1.2.4.bb | 1 + > 2 files changed, 54 insertions(+) > create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch > > diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch > b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch > new file mode 100644 > index 00..2b1817822c > --- /dev/null > +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch > @@ -0,0 +1,53 @@ > +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001 > +From: Vincent Rabaud > +Date: Mon, 11 Sep 2023 16:06:08 +0200 > +Subject: [PATCH] Fix invalid incremental decoding check. > + > +The first condition is only necessary if we have not read enough > +(enough being defined by src_last, not src_end which is the end > +of the image). > +The second condition now fits the comment below: "if not > +incremental, and we are past the end of buffer". > + > +BUG=oss-fuzz:62136 > + > +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f > + > +CVE: CVE-2023-4863 > + > +Upstream-Status: Backport [ > https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520 > ] > + > +Signed-off-by: Soumya Sambu > +--- > + src/dec/vp8l_dec.c | 15 +-- > + 1 file changed, 13 insertions(+), 2 deletions(-) > + > +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c > +index 186b0b2..59a9e64 100644 > +--- a/src/dec/vp8l_dec.c > b/src/dec/vp8l_dec.c > +@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, > uint32_t* const data, > + } > + > + br->eos_ = VP8LIsEndOfStream(br); > +- if (dec->incremental_ && br->eos_ && src < src_end) { > ++ // In incremental decoding: > ++ // br->eos_ && src < src_last: if 'br' reached the end of the buffer > and > ++ // 'src_last' has not been reached yet, there is not enough data. > 'dec' has to > ++ // be reset until there is more data. > ++ // !br->eos_ && src < src_last: this cannot happen as either the > buffer is > ++ // fully read, either enough has been read to reach 'src_last'. > ++ // src >= src_last: 'src_last' is reached, all is fine. 'src' can > actually go > ++ // beyond 'src_last' in case the image is cropped and an LZ77 goes > further. > ++ // The buffer might have been enough or there is some left. 'br->eos_' > does > ++ // not matter. > ++ assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= > src_last); > ++ if (dec->incremental_ && br->eos_ && src < src_last) { > + RestoreState(dec); > +- } else if (!br->eos_) { > ++ } else if ((dec->incremental_ && src >= src_last) || !br->eos_) { > + // Process the remaining rows corresponding to last row-block. > + if (process_func != NULL) { > + process_func(dec, row > last_row ? last_row : row); > +-- > +2.40.0 > diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb > b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb > index 4defdd5e42..0728ca60f5 100644 > --- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb > +++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb > @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = > "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \ > SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \ > file://CVE-2023-1999.patch \ > file://CVE-2023-5129.patch \ > + file://CVE-2023-4863.patch \ > " > SRC_URI[sha256sum] = > "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df" > > -- > 2.34.1 > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189889): https://lists.openembedded.org/g/openembedded-core/message/189889 Mute This Topic: https://lists.openembedded.org/mt/102307907/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Patchtest results for [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863
Thank you for your submission. Patchtest identified one or more issues with the patch. Please see the log below for more information: --- Testing patch /home/patchtest/share/mboxes/kirkstone-3-3-libwebp-Fix-CVE-2023-4863.patch FAIL: test CVE presence in commit message: A CVE tag should be provided in the commit message with format: "CVE: CVE--" (test_mbox.TestMbox.test_cve_presence_in_commit_message) PASS: pretest lic files chksum modified not mentioned (test_metadata.TestMetadata.pretest_lic_files_chksum_modified_not_mentioned) PASS: pretest src uri left files (test_metadata.TestMetadata.pretest_src_uri_left_files) PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format) PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence) PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence) PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format) PASS: test author valid (test_mbox.TestMbox.test_author_valid) PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence) PASS: test lic files chksum modified not mentioned (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned) PASS: test max line length (test_metadata.TestMetadata.test_max_line_length) PASS: test mbox format (test_mbox.TestMbox.test_mbox_format) PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade) PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format) PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length) PASS: test src uri left files (test_metadata.TestMetadata.test_src_uri_left_files) SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint) SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format) SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence) SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence) SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint) SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head) SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence) SKIP: test target mailing list: Series merged, no reason to check other mailing lists (test_mbox.TestMbox.test_target_mailing_list) --- Please address the issues identified and submit a new revision of the patch, or alternatively, reply to this email with an explanation of why the patch should be accepted. If you believe these results are due to an error in patchtest, please submit a bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category under 'Yocto Project Subprojects'). For more information on specific failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank you! -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189875): https://lists.openembedded.org/g/openembedded-core/message/189875 Mute This Topic: https://lists.openembedded.org/mt/102308199/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863
From: Soumya Sambu Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. References: https://nvd.nist.gov/vuln/detail/CVE-2023-4863 https://security-tracker.debian.org/tracker/CVE-2023-4863 https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12 Signed-off-by: Soumya Sambu Signed-off-by: Steve Sakoman --- .../webp/files/CVE-2023-4863.patch| 53 +++ meta/recipes-multimedia/webp/libwebp_1.2.4.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch new file mode 100644 index 00..2b1817822c --- /dev/null +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch @@ -0,0 +1,53 @@ +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001 +From: Vincent Rabaud +Date: Mon, 11 Sep 2023 16:06:08 +0200 +Subject: [PATCH] Fix invalid incremental decoding check. + +The first condition is only necessary if we have not read enough +(enough being defined by src_last, not src_end which is the end +of the image). +The second condition now fits the comment below: "if not +incremental, and we are past the end of buffer". + +BUG=oss-fuzz:62136 + +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f + +CVE: CVE-2023-4863 + +Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520] + +Signed-off-by: Soumya Sambu +--- + src/dec/vp8l_dec.c | 15 +-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c +index 186b0b2..59a9e64 100644 +--- a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c +@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data, + } + + br->eos_ = VP8LIsEndOfStream(br); +- if (dec->incremental_ && br->eos_ && src < src_end) { ++ // In incremental decoding: ++ // br->eos_ && src < src_last: if 'br' reached the end of the buffer and ++ // 'src_last' has not been reached yet, there is not enough data. 'dec' has to ++ // be reset until there is more data. ++ // !br->eos_ && src < src_last: this cannot happen as either the buffer is ++ // fully read, either enough has been read to reach 'src_last'. ++ // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go ++ // beyond 'src_last' in case the image is cropped and an LZ77 goes further. ++ // The buffer might have been enough or there is some left. 'br->eos_' does ++ // not matter. ++ assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last); ++ if (dec->incremental_ && br->eos_ && src < src_last) { + RestoreState(dec); +- } else if (!br->eos_) { ++ } else if ((dec->incremental_ && src >= src_last) || !br->eos_) { + // Process the remaining rows corresponding to last row-block. + if (process_func != NULL) { + process_func(dec, row > last_row ? last_row : row); +-- +2.40.0 diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb index 4defdd5e42..0728ca60f5 100644 --- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb +++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \ SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \ file://CVE-2023-1999.patch \ file://CVE-2023-5129.patch \ + file://CVE-2023-4863.patch \ " SRC_URI[sha256sum] = "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189873): https://lists.openembedded.org/g/openembedded-core/message/189873 Mute This Topic: https://lists.openembedded.org/mt/102307907/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-