Bug 19719

Summary:	libwebp new security issues CVE-2016-8888 and CVE-2016-9085
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	Rémi Verschelde <rverschelde>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	alexander, marja11, nicolas.salguero, olav, thierry.vignaud
Version:	Cauldron
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/705671/
Whiteboard:
Source RPM:	libwebp-0.4.3-1.mga5.src.rpm	CVE:
Status comment:

Description David Walser 2016-11-04 17:44:20 CET

Fedora has issued an advisory on November 3:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PTR2ZW67TMT7KC24RBENIF25KWUJ7VPD/

The issue was fixed upstream in Chromium in this commit:
https://chromium.googlesource.com/webm/libwebp/+/e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83

David Walser 2016-11-04 17:44:30 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-11-04 23:39:08 CET

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => alexander, marja11, olav, thierry.vignaud
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2016-11-08 10:17:50 CET

Done for Cauldron.

Regarding Mga5, the file "examples/gifdec.c" does not exist in version 0.4.3 so the patch does not apply.  Is Mga5 really affected?

I found that Debian considers that version 0.4.1 is also affected but I do not know why (as you can see here: https://security-tracker.debian.org/tracker/CVE-2016-9085).

CC: (none) => nicolas.salguero

Comment 3 David Walser 2016-11-08 14:38:03 CET

Some of the code might be in examples/gif2webp_util.c, but it doesn't look like we have an issue in the mga5 library, so I'll close this until and unless more information becomes available.  Thanks!

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Whiteboard: MGA5TOO => (none)

Comment 4 David Walser 2016-12-28 19:25:02 CET

This is referenced in this Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842714

libwebp 0.5.2 has been released, fixing CVE-2016-9085 as well as CVE-2016-8888:
https://chromium.googlesource.com/webm/libwebp/+/master/NEWS

Looking at the patch Debian added for this (0009-Import-use-relative-pointer-offsets.patch), it looks like it almost applies in src/enc/picture_csp.c, but the code in the second hunk has changed a bit.

Status: RESOLVED => REOPENED
Version: Cauldron => 5
Resolution: FIXED => (none)
Summary: libwebp new security issue CVE-2016-9085 => libwebp new security issues CVE-2016-8888 and CVE-2016-9085
Source RPM: libwebp-0.5.1-2.mga6.src.rpm => libwebp-0.4.3-1.mga5.src.rpm

Rémi Verschelde 2017-03-06 18:24:45 CET

Assignee: pkg-bugs => rverschelde

Comment 5 David Walser 2017-12-30 02:23:49 CET

The Debian patch I mentioned before seems to no longer be available.  Ubuntu says CVE-2016-9085 doesn't affect 0.4.x, and I can't find any information on CVE-2016-8888.  Closing this.

Version: 5 => Cauldron
Resolution: (none) => FIXED
Status: REOPENED => RESOLVED