libwebp: cherry-pick suspected upstream fix for CVE-2023-4863#254775
libwebp: cherry-pick suspected upstream fix for CVE-2023-4863#254775mweinelt merged 1 commit intoNixOS:staging-nextfrom
Conversation
This CVE is critical severity and has been exploited in the wild. It was reported as being a Chromium vulnerability, but it seems to in fact impact libwebp (and thus all its downstream users). There is however no official confirmation of this yet. The upstream fix patch (webmproject/libwebp@902bc919) does not cleanly apply onto 1.3.1, so we vendor a very slightly modified version which does cleanly apply. This is my original work, so YMMV on whether you trust it or not, reviews very much welcomed :-)
|
(Also open to better ideas than "vendoring a patch not validating by upstream", but I have no clue how I'd even get started engaging with upstream here since their development process is extremely opaque to outsiders.) |
delroth
added
the
1.severity: security
|
My backport of the patch seems to match Mozilla's, FWIW: https://hg.mozilla.org/releases/mozilla-release/rev/e245ca2125a6eb1e2d08cc9e5824f15e1e67a566 I've diffed the result of applying my patch and Mozilla patch, they're identical. |
|
Assuming nontrivial security concerns, |
|
If this PR goes fast, I think we'd get to nixos-unstable in a few days, during weekend latest. |
|
@mweinelt as de facto security lead (if you disagree, name who you think is de facto security lead :P) please LGTM this for the approach taken and whether we should send this to staging-next as soon as this is reviewed, or whether we should wait for something else. Or delegate that decision to someone else :) |
|
I think we can merge to staging-next now, I was trying to run the firefox tests, but pylint is currently broken on staging-next. Will try to look into that tonight. |
yu-re-ka
left a comment
yu-re-ka
left a comment
There was a problem hiding this comment.
The idea seems reasonable, and I compared the patch to mozilla's
|
Backport failed for Please cherry-pick the changes locally. git fetch origin staging-23.05
git worktree add -d .worktree/backport-254775-to-staging-23.05 origin/staging-23.05
cd .worktree/backport-254775-to-staging-23.05
git checkout -b backport-254775-to-staging-23.05
ancref=$(git merge-base 92f41becba5701c37372ad1a990a31893779b43d 0f11042876c07f1abbe172d9c8fe41feedd0be9c)
git cherry-pick -x $ancref..0f11042876c07f1abbe172d9c8fe41feedd0be9c |
|
I'll send a backport PR shortly. |
Same patch as used for main/libwebp but with adjusted paths to include src/3rdparty/libwebp/ Origin: NixOS/nixpkgs#254775
Same patch as used for main/libwebp but with adjusted paths to include src/3rdparty/libwebp/ Origin: NixOS/nixpkgs#254775
Same patch as used for main/libwebp but with adjusted paths to include src/3rdparty/libwebp/ Origin: NixOS/nixpkgs#254775
Same patch as used for main/libwebp but with adjusted paths to include src/3rdparty/libwebp/ Origin: NixOS/nixpkgs#254775
|
There's an upstream release now webmproject/libwebp@v1.3.1...v1.3.2 |
5 participants
Description of changes
This CVE is critical severity and has been exploited in the wild. It was reported as being a Chromium vulnerability, but it seems to in fact impact libwebp (and thus all its downstream users). There is however no official confirmation of this yet.
The upstream fix patch (webmproject/libwebp@902bc919) does not cleanly apply onto 1.3.1, so we vendor a very slightly modified version which does cleanly apply. This is my original work, so YMMV on whether you trust it or not, reviews very much welcomed :-)
cc @vcunat since I'm targeting staging-next with this.
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)