19719 – libwebp new security issues CVE-2016-8888 and CVE-2016-9085

Bug 19719 - libwebp new security issues CVE-2016-8888 and CVE-2016-9085

Summary: libwebp new security issues CVE-2016-8888 and CVE-2016-9085

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	Rémi Verschelde
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/705671/
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-11-04 17:44 CET by David Walser
Modified:	2017-12-30 02:23 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	libwebp-0.4.3-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-11-04 17:44:20 CET

Fedora has issued an advisory on November 3:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PTR2ZW67TMT7KC24RBENIF25KWUJ7VPD/

The issue was fixed upstream in Chromium in this commit:
https://chromium.googlesource.com/webm/libwebp/+/e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83

David Walser 2016-11-04 17:44:30 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-11-04 23:39:08 CET

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => alexander, marja11, olav, thierry.vignaud
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2016-11-08 10:17:50 CET

Done for Cauldron.

Regarding Mga5, the file "examples/gifdec.c" does not exist in version 0.4.3 so the patch does not apply.  Is Mga5 really affected?

I found that Debian considers that version 0.4.1 is also affected but I do not know why (as you can see here: https://security-tracker.debian.org/tracker/CVE-2016-9085).

CC: (none) => nicolas.salguero

Comment 3 David Walser 2016-11-08 14:38:03 CET

Some of the code might be in examples/gif2webp_util.c, but it doesn't look like we have an issue in the mga5 library, so I'll close this until and unless more information becomes available.  Thanks!

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Whiteboard: MGA5TOO => (none)

Comment 4 David Walser 2016-12-28 19:25:02 CET

This is referenced in this Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842714

libwebp 0.5.2 has been released, fixing CVE-2016-9085 as well as CVE-2016-8888:
https://chromium.googlesource.com/webm/libwebp/+/master/NEWS

Looking at the patch Debian added for this (0009-Import-use-relative-pointer-offsets.patch), it looks like it almost applies in src/enc/picture_csp.c, but the code in the second hunk has changed a bit.

Status: RESOLVED => REOPENED
Version: Cauldron => 5
Resolution: FIXED => (none)
Summary: libwebp new security issue CVE-2016-9085 => libwebp new security issues CVE-2016-8888 and CVE-2016-9085
Source RPM: libwebp-0.5.1-2.mga6.src.rpm => libwebp-0.4.3-1.mga5.src.rpm

Rémi Verschelde 2017-03-06 18:24:45 CET

Assignee: pkg-bugs => rverschelde

Comment 5 David Walser 2017-12-30 02:23:49 CET

The Debian patch I mentioned before seems to no longer be available.  Ubuntu says CVE-2016-9085 doesn't affect 0.4.x, and I can't find any information on CVE-2016-8888.  Closing this.

Version: 5 => Cauldron
Resolution: (none) => FIXED
Status: REOPENED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.