Bug 32280

Summary:	libwebp new security issue CVE-2023-4863
Product:	Mageia	Reporter:	Nicolas Salguero <nicolas.salguero>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	brtians1, davidwhodgins, fri, herman.viaene, marja11, nicolas.salguero, sysadmin-bugs
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8TOO MGA9-64-OK MGA8-64-OK
Source RPM:	libwebp-1.3.0-2.mga9.src.rpm	CVE:
Status comment:

Description Nicolas Salguero 2023-09-13 12:25:27 CEST

The issue is fixed upstream in those commits:
https://chromium.googlesource.com/webm/libwebp.git/+/902bc9190331343b2017211debcec8d2ab87e17a%5E%21/
https://chromium.googlesource.com/webm/libwebp.git/+/95ea5226c870449522240ccff26f0b006037c520%5E%21/#F0

Nicolas Salguero 2023-09-13 12:25:51 CEST

Whiteboard: (none) => MGA9TOO, MGA8TOO
CC: (none) => nicolas.salguero
Source RPM: (none) => libwebp-1.3.0-2.mga9.src.rpm

Comment 1 Lewis Smith 2023-09-13 19:28:51 CEST

Assigning this globally because there is no one packager in evidence for libwebp.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-09-14 16:00:16 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (CVE-2023-4863)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4863
========================

Updated packages in 9/core/updates_testing:
========================
lib(64)sharpyuv0-1.3.0-2.1.mga9
lib(64)webp7-1.3.0-2.1.mga9
lib(64)webpdecoder3-1.3.0-2.1.mga9
lib(64)webpdemux2-1.3.0-2.1.mga9
lib(64)webpmux3-1.3.0-2.1.mga9
lib(64)webp-devel-1.3.0-2.1.mga9
libwebp-tools-1.3.0-2.1.mga9

from SRPM:
libwebp-1.3.0-2.1.mga9.src.rpm

Updated packages in 8/core/updates_testing:
========================
lib(64)webp7-1.1.0-2.2.mga8
lib(64)webpdecoder3-1.1.0-2.2.mga8
lib(64)webpdemux2-1.1.0-2.2.mga8
lib(64)webpmux3-1.1.0-2.2.mga8
lib(64)webp-devel-1.1.0-2.2.mga8
libwebp-tools-1.1.0-2.2.mga8

from SRPM:
libwebp-1.1.0-2.2.mga8.src.rpm

Assignee: pkg-bugs => nicolas.salguero
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Status: NEW => ASSIGNED
Version: Cauldron => 9

Nicolas Salguero 2023-09-19 09:16:53 CEST

Assignee: nicolas.salguero => qa-bugs

Comment 3 Herman Viaene 2023-09-20 17:53:45 CEST

MGA8-64 Xfce on Acer Aspire 5253
No innstallation issues.
Ref bug 31783 for testing
Firefox continues to work OK, looked for other test, and found https://developers.google.com/speed/webp/docs/img2webp
trying with some jpg files.
$ img2webp shelt0001.jpeg shelt0002.jpeg shelt0003.jpeg -o testwebp.webp
Frame #1 dimension mismatched! Got 2104 x 3183. Was expecting 3152 x 2158.
Above documentation does not show any light on this problem
Ommitting the first jpg:
$ img2webp shelt0002.jpeg shelt0003.jpeg -o testwebp.webp
Frame #1 dimension mismatched! Got 3152 x 2131. Was expecting 2104 x 3183.
Beats me !!!!!

CC: (none) => herman.viaene

Nicolas Salguero 2023-09-25 07:22:09 CEST

Severity: normal => critical

Comment 4 Brian Rockwell 2023-09-25 15:27:40 CEST

I tested this in MGA9 as best I could.  

approving this

CC: (none) => brtians1
Whiteboard: MGA8TOO => MGA8TOO MGA9-64-OK

Comment 5 Herman Viaene 2023-09-25 16:30:30 CEST

MGA9-64 Xfce on Acer Aspire 5253
No innstallation issues.
Got exactly te same results as in Comment 3. I don't know what to think of it, specially since I cann't find any restriction on the file sizes while googling.

Comment 6 Marja Van Waes 2023-09-30 13:39:59 CEST

Advisory uploaded.

I assume the script to push updates only works when someone from QA has validated the update, because sometimes sysadmin-bugs is already in the CC list when a bug report for an update is created.

@ NS80

Can you please look at Herman's comments?

CC: (none) => marja11, sysadmin-bugs
Keywords: (none) => advisory

Comment 7 Dave Hodgins 2023-09-30 16:12:22 CEST

My understanding is that it selects advisories from svn where the bug is
assigned to qa and the validated keyword is present.

CC: (none) => davidwhodgins

Comment 8 Marja Van Waes 2023-09-30 16:50:20 CEST

(In reply to Dave Hodgins from comment #7)
> My understanding is that it selects advisories from svn where the bug is
> assigned to qa and the validated keyword is present.

Thanks :-)

Comment 9 Nicolas Salguero 2023-10-03 08:59:17 CEST

(In reply to Herman Viaene from comment #5)
> MGA9-64 Xfce on Acer Aspire 5253
> No innstallation issues.
> Got exactly te same results as in Comment 3. I don't know what to think of
> it, specially since I cann't find any restriction on the file sizes while
> googling.

I tried with some jpeg I have and did not see the message.

I think that update need to be urgently pushed since the security issue affects chromium, libreoffice...

Best regards,

Nico.

Herman Viaene 2023-10-03 09:46:04 CEST

Whiteboard: MGA8TOO MGA9-64-OK => MGA8TOO MGA9-64-OK MGA8-64-OK

Comment 10 Morgan Leijström 2023-10-03 10:31:44 CEST

Approving by the OKs
Dont know how to test this myself and it is not a core system package

CC: (none) => fri
Keywords: (none) => validated_update

Comment 11 Mageia Robot 2023-10-03 12:56:27 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0282.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED