CVE-2023-4863 (libwebp heap buffer overflow) tracking #254798
Description
Filing this issue to track CVE-2023-4863 related actions in nixpkgs. Feel free to send questions my way and/or contribute via comments in this issue!
What's CVE-2023-4863
A buffer overflow in libwebp which allows a malicious actor to potentially get code execution in software that displays a specially crafted image file. This impacts pretty much all web browsers, as well as other software which might process or display untrusted images (image editing software, email clients, chat clients, social media clients, etc.). Chrome has rated this vulnerability as critical severity and has indicated that they have evidence some actors are already exploiting it in the wild.
This vulnerability was very shortly referred to as CVE-2023-5129, but that second CVE for the same vulnerability has since been withdrawn.
Current status
Firefox and Chromium are not vulnerable anymore as of 2023-09-16 in unstable and 23.05. Direct dependents of the system libwebp are also not vulnerable anymore. Some applications bundle their own version of libwebp instead of using the system version (including some other web browsers in nixpkgs: Brave, Tor Browser, etc.). Each of these need to be updated separately by nixpkgs maintainers. See below for a list of all the known applications that need an update and their status.
How to help
- Review/merge any nixpkgs PR that you see pending in the task list below.
- Help figure out a course of action for yet untriaged packages. Report your findings and suggested course of action in a comment here, and I'll update the sheet and the task list below.
- If you have an idea of how to fix/address the vulnerability in any of the packages listed in the task list below, don't hesitate to post a comment here and send pull requests! Feel free to cc me on PRs so I can make sure they're tracked and they don't get lost.
Task list
- libwebp is updated in staging-next (unstable: libwebp: cherry-pick suspected upstream fix for CVE-2023-4863 #254775, 23.05: [staging-23.05] libwebp: cherry-pick suspected upstream fix for CVE-2023-4863 #254789)
- This will make it to master via staging-next 2023-09-07 #253854 - @vcunat said likely this weekend.
- We need to merge staging-23.05 to release-23.05. That should also finish this week: staging-next-23.05 iteration 8 - 2023-09-13 #254997
- electron is also vulnerable. Upstream is making new releases on all their supported branches to include the patch.
- electron 26 bumped in master (electron: 26.1.0 -> 26.2.1 (CVE-2023-4863, #254798) #254816).
- electron 25 bumped in master (Electron 22/24/25 version bumps for CVE-2023-4863 #255069).
- electron 24 bumped in master (Electron 22/24/25 version bumps for CVE-2023-4863 #255069).
- electron 22 bumped in master (Electron 22/24/25 version bumps for CVE-2023-4863 #255069).
- electron 26 bumped in 23.05 ([Backport release-23.05] electron: 26.1.0 -> 26.2.1 (CVE-2023-4863, #254798) #254819).
- electron 25 bumped in 23.05 ([Backport release-23.05] Electron 22/24/25 version bumps for CVE-2023-4863 #255072).
- electron 24 bumped in 23.05 ([Backport release-23.05] Electron 22/24/25 version bumps for CVE-2023-4863 #255072).
- electron 22 bumped in 23.05 ([Backport release-23.05] Electron 22/24/25 version bumps for CVE-2023-4863 #255072).
- We should figure out what else might be vendoring libwebp. Not sure if there's tooling for this? List of derivations to investigate further and possibly patch:
- List of stuff found to vendor libwebp + triaging status
- High risk stuff (mail clients, IM clients, web browsers)
- armcord
- caprine-bin (caprine-bin: 2.58.0 -> 2.58.3 #257372, [Backport 23.05] caprine-bin: 2.55.5 -> 2.58.3 #257472)
- discord (discord: 0.0.29 -> 0.0.30 #256943, [Backport release-23.05] discord: 0.0.29 -> 0.0.30 #256994)
- fluffychat (Backport all flutter & flutter package changes to 23.05 #257166)
- gitter (gitter: remove (unmaintained upstream, probably useless now) #255784, [release-23.05] gitter: mark vulnerable to CVE-2023-4863 #255786)
- mailspring
- mattermost-desktop (mattermost-desktop: 5.3.1 -> 5.5.0 #257162 / [Backport release-23.05] mattermost-desktop: 5.3.1 -> 5.5.0 #257243)
- mautrix-whatsapp (mautrix-whatsapp: 0.10.1 -> 0.10.2 #256178 / 23.05 [Backport release-23.05] mautrix-whatsapp: 0.10.1 -> 0.10.2 #256209)
- microsoft-edge (microsoft-edge: 116.0.1938.76 -> 117.0.2045.35 #256223 / [Backport release-23.05] microsoft-edge: 116.0.1938.76 -> 117.0.2045.35 #256595)
- mullvad-browser (mullvad-browser: 12.5.3 -> 12.5.4 #255078 / [Backport release-23.05] mullvad-browser: 12.5.3 -> 12.5.4 #255106)
- palemoon-bin (palemoon-bin: 32.3.1 -> 32.4.0.1 #257126, [Backport release-23.05] palemoon-bin: 32.3.1 -> 32.4.0.1 #257614)
- rocketchat-desktop (rocketchat-desktop: 3.8.11 -> 3.9.7 #255910 / [Backport release-23.05] rocketchat-desktop: 3.8.11 -> 3.9.7 #257128)
- signal-desktop (signal-desktop: 6.30.1 -> 6.30.2 #255129, [release-23.05] signal-desktop: 6.29.1 -> 6.30.2 (CVE-2023-4863, #254798) #255139)
- signal-desktop-beta (signal-desktop: 6.30.2 -> 6.31.0, signal-desktop-beta: 6.31.0-beta.1 -> 6.32.0-beta.1 #256435 / [Backport release-23.05] signal-desktop-beta: 6.30.0-beta.2 -> 6.31.0-beta.1, signal-desktop-beta: 6.31.0-beta.1 -> 6.32.0-beta.1 #257169)
- slack (slack: 4.34.115 -> 4.34.120 #257135 / [Backport release-23.05] slack: 4.29.149 -> 4.34.120 (linux), 4.29.149 -> 4.34.119 (darwin) #257149)
- threema-desktop (embedded electron not used)
- tor-browser-bundle-bin (tor-browser-bundle-bin: 12.5.3 -> 12.5.4 #255076 / [Backport release-23.05] tor-browser-bundle-bin: 12.5.3 -> 12.5.4 #255105)
- tutanota-desktop (tutanota-desktop: 3.115.2 -> 3.118.7 #255335 / [Backport release-23.05] tutanota-desktop: 3.112.6 -> 3.118.7 #255888)
- Libs that other stuff might depend on
- flutter
- libcef (libcef: 116.0.21 -> 116.0.24 #256001 / [release-23.05] libcef: 112.3.0 -> 116.0.24 #256003)
- opencv (opencv3,opencv4: disable some unnecessary vendoring on Darwin #256444 / [Backport release-23.05] opencv3,opencv4: disable some unnecessary vendoring on Darwin #257726)
- qt5.qtimageformats (
libsForQt5.qt5.qtimageformats: add dependenciesjasper,libmng, andlibwebp#255044 / [23.05] qt5.qtimageformats: unvendor libwebp #255432) - qtwebengine (darwin only, maybe?)
- smooth (smooth: unvendor all the things #255994 / [Backport release-23.05] smooth: unvendor all the things #256182)
- darktable (CVE-2023-4863 (libwebp heap buffer overflow) tracking #254798 (comment))
- golden-cheetah-bin: ships a vulnerable prebuilt libwebp (cc: @gador @adamcstephens)
golden-cheetah-bin: mark insecure due to CVE-2023-4863 #255339
[23.05] golden-cheetah-bin: mark insecure due to CVE-2023-4863 #258357 - koreader: ships a vulnerable prebuilt libwebp (cc: @contrun @neonfuz)
- libreoffice (CVE-2023-4863 (libwebp heap buffer overflow) tracking #254798 (comment))
- localsend: ships a vulnerable prebuilt libwebp (cc: @sikmir)
- obs-studio (CVE-2023-4863 (libwebp heap buffer overflow) tracking #254798 (comment))
- rigsofrods-bin (ships a vulnerable prebuilt libwebp (cc: @wegank))
- Anything Rust that depends (transitively or not) on libwebp-sys2 < v0.1.8
- libwebp-sys2 might silently decide to build its vendored version, if it can't find system libwebp or if the
staticcrate feature is enabled. - gst_all_1.gst-plugins-rs (gst_all_1.gst-plugins-rs: check that system libwebp was linked #254915)
- catppuccin-catwalk (catppucin-catwalk: use system libwebp #254911)
- libwebp-sys2 might silently decide to build its vendored version, if it can't find system libwebp or if the
- Anything Rust that depends (transitively or not) on libwebp-sys < v0.9.3
- Linking against system webp is intentionally not supported: Support linking to system-installed libwebp NoXF/libwebp-sys#17
- oculante oculante: 0.7.4 -> 0.7.5 #255247
- .NET software that uses SkiaSharp. Upstream has yet to release a fixed version. ([BUG] SkiaSharp vendors libwebp vulnerable to CVE-2023-4863 mono/SkiaSharp#2608)
- avalonia-ilspy
- BeatSaberModManager
- denaro
- galaxy-buds-client
- jellyfin
- mission-planner
- mqttmultimeter
- opentracker
- openutau
- ryujinx
- scarab
- wasabiwallet
- Go software linking with https://github.com/chai2010/webp (CVE-2023-4863 impacting libwebp 1.0.2 chai2010/webp#61, Vendored libwebp is vulnerable to CVE-2023-4863 bep/gowebp#7) - broken down per vulnerable lib
- https://github.com/chai2010/webp (unmaintained, likely never getting patched - action should be getting upstream to migrate away)
- https://github.com/bep/gowebp (Vendored libwebp is vulnerable to CVE-2023-4863 bep/gowebp#7)
- hugo
- Godot related derivations: these should be unvendored (capability already exists in the build system).
- godot_4
- godot3
- godot3-server
- godot3-headless
- godot3-export-templates
- Built using Godot
- lorien
- oh-my-git
- Electron apps where we ship upstream binaries instead of using nixpkgs electron
- Best course of action: upstream should update to electron >= 26.2.1, >= 25.8.1, >= 24.8.3, or >= 22.3.24 and tag a new release
- atom
- hakuneko
- hyper
- indigenous-desktop
- joplin-desktop
- keeweb (unmaintained, mark as insecure?)
- keybase-gui
- insomnia
- mullvad-vpn
- simplenote
Notes
- For derivations that vendor a vulnerable libwebp, priority list of preferred action to take:
- De-vendor libwebp and use the version from nixpkgs. (Difficult/impossible for binary provenance derivations.)
- Update to a new version from upstream that has a more recent libwebp patched for the vulnerability (TODO: how to check?)
- Mark as
knownVulnerableat some point if upstream can't be convinced to make a new release.
- List of all software in nixpkgs known to contain libwebp: https://gist.github.com/delroth/a49ce318c4a2c28ec3d7c8bc4adb9b61