Bugzilla – Bug 1215231
VUL-0: CVE-2023-4863: libwebp,MozillaFirefox,MozillaThunderbird,chromium,ungoogled-chromium,libreoffice: Heap buffer overflow in WebP
Last modified: 2024-08-29 20:35:21 UTC
CVE-2023-4863 The Stable and Extended stable channels has been updated to 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows, which will roll out over the coming days/weeks. A full list of changes in this build is available in the log. This update includes 1 security fix. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information. CVE-2023-4863: Heap buffer overflow in WebP. Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School on 2023-09-06 Google is aware that an exploit for CVE-2023-4863 exists in the wild. Upstream bug(s): https://code.google.com/p/chromium/issues/detail?id=1479274 References: https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4863 https://bugzilla.redhat.com/show_bug.cgi?id=2238431
This is an autogenerated message for OBS integration: This bug (1215231) was mentioned in https://build.opensuse.org/request/show/1110459 Factory / chromium https://build.opensuse.org/request/show/1110462 Backports:SLE-15-SP4+Backports:SLE-15-SP5 / chromium
Team, two requests: Please re-evaluate this against libwebp. Chromium builds with the system lib: > BuildRequires: pkgconfig(libwebp) >= 0.4.0 > [...] > # Set system libraries to be used > gn_system_libraries=( > [...] > libwebp > [...] > ) $ zypper info --requires chromium | grep webp libwebp.so.7()(64bit) Second, just to make you aware that this is also coming to FF, in case it will under the same CVE. https://hg.mozilla.org/releases/mozilla-release/rev/e245ca2125a6eb1e2d08cc9e5824f15e1e67a566
Jan, https://chromium.googlesource.com/webm/libwebp.git/+/2af26267cdfcb63a88e5c74a85927a12d6ca1d76 is for you I think
This is an autogenerated message for OBS integration: This bug (1215231) was mentioned in https://build.opensuse.org/request/show/1110615 Factory / libwebp
Thanks Jan. xiaoguang you are up for SUSE:SLE-15-SP2:Update/libwebp
You could just take the current graphics/libwebp for 15.SP2 to reduce the version difference. The ABI seems compatible from a first glance (both have libwebp.so.7).
This is an autogenerated message for OBS integration: This bug (1215231) was mentioned in https://build.opensuse.org/request/show/1110694 Factory / ungoogled-chromium
From https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/ Mozilla Foundation Security Advisory 2023-40 Security Vulnerability fixed in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2 Announced: September 12, 2023 Impact: critical Products: Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird Fixed in: Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2 #CVE-2023-4863: Heap buffer overflow in libwebp Reporter Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto's Munk School Impact critical Description Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild. References Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1852649 Bug https://bugs.chromium.org/p/chromium/issues/detail?id=1479274 Bundled in Firefox and Thunderbird. Firefox 117 and 115esr for Tumbleweed: https://build.opensuse.org/request/show/1110681 https://build.opensuse.org/request/show/1110687
gnome-team, please submit the patch [0] to the following supported packages: - SUSE:SLE-12-SP1:Update/libwebp - SUSE:SLE-15-SP2:Update/libwebp - SUSE:SLE-15:Update/libwebp - openSUSE:Factory/libwebp Furthermore, as Dirk mentioned in comment 10 there is one more security relevant commit merged to the main branch [1]. Please review it and provide your feedback, do you consider it part of the same mitigation? In any case, seems to be trivial to backport, so we could simply include it to this update. [0] https://chromium.googlesource.com/webm/libwebp/+/902bc9190331343b2017211debcec8d2ab87e17a%5E%21/ [1] https://chromium.googlesource.com/webm/libwebp/+/95ea5226c870449522240ccff26f0b006037c520%5E%21/
MozillaFirefox/MozillaThunderbird bundle this code, please check
(In reply to Andreas Stieger from comment #14) > MozillaFirefox/MozillaThunderbird bundle this code, please check update is already submitted by the Firefox maintainers in IBS.
openSUSE-SU-2023:0246-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1215231 CVE References: CVE-2023-4863 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): chromium-116.0.5845.187-bp155.2.31.1 openSUSE Backports SLE-15-SP4 (src): chromium-116.0.5845.187-bp154.2.117.1
This is an autogenerated message for OBS integration: This bug (1215231) was mentioned in https://build.opensuse.org/request/show/1110935 Backports:SLE-15-SP4+Backports:SLE-15-SP5 / chromium
This is an autogenerated message for OBS integration: This bug (1215231) was mentioned in https://build.opensuse.org/request/show/1110949 Backports:SLE-15-SP4+Backports:SLE-15-SP5 / chromium
SUSE-SU-2023:3610-1: An update that solves one vulnerability and has two security fixes can now be installed. Category: security (critical) Bug References: 1210168, 1215231, 1215245 CVE References: CVE-2023-4863 Sources used: openSUSE Leap 15.4 (src): MozillaFirefox-115.2.1-150200.152.105.1 openSUSE Leap 15.5 (src): MozillaFirefox-115.2.1-150200.152.105.1 Desktop Applications Module 15-SP4 (src): MozillaFirefox-115.2.1-150200.152.105.1 Desktop Applications Module 15-SP5 (src): MozillaFirefox-115.2.1-150200.152.105.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): MozillaFirefox-115.2.1-150200.152.105.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): MozillaFirefox-115.2.1-150200.152.105.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): MozillaFirefox-115.2.1-150200.152.105.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): MozillaFirefox-115.2.1-150200.152.105.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): MozillaFirefox-115.2.1-150200.152.105.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): MozillaFirefox-115.2.1-150200.152.105.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): MozillaFirefox-115.2.1-150200.152.105.1 SUSE Enterprise Storage 7.1 (src): MozillaFirefox-115.2.1-150200.152.105.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3609-1: An update that solves one vulnerability and has two security fixes can now be installed. Category: security (critical) Bug References: 1210168, 1215231, 1215245 CVE References: CVE-2023-4863 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): MozillaFirefox-115.2.1-150000.150.103.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): MozillaFirefox-115.2.1-150000.150.103.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): MozillaFirefox-115.2.1-150000.150.103.1 SUSE CaaS Platform 4.0 (src): MozillaFirefox-115.2.1-150000.150.103.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2023:0247-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1215231 CVE References: CVE-2023-4863 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): chromium-116.0.5845.187-bp155.2.34.1 openSUSE Backports SLE-15-SP4 (src): chromium-116.0.5845.187-bp154.2.120.1
SUSE-SU-2023:3626-1: An update that solves one vulnerability and has two security fixes can now be installed. Category: security (critical) Bug References: 1210168, 1215231, 1215245 CVE References: CVE-2023-4863 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): MozillaFirefox-115.2.1-112.179.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): MozillaFirefox-115.2.1-112.179.1 SUSE Linux Enterprise Server 12 SP5 (src): MozillaFirefox-115.2.1-112.179.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): MozillaFirefox-115.2.1-112.179.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3634-1: An update that solves one vulnerability can now be installed. Category: security (critical) Bug References: 1215231 CVE References: CVE-2023-4863 Sources used: SUSE Package Hub 15 15-SP4 (src): libwebp-1.0.3-150200.3.10.1 SUSE Package Hub 15 15-SP5 (src): libwebp-1.0.3-150200.3.10.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): libwebp-1.0.3-150200.3.10.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): libwebp-1.0.3-150200.3.10.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): libwebp-1.0.3-150200.3.10.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): libwebp-1.0.3-150200.3.10.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): libwebp-1.0.3-150200.3.10.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): libwebp-1.0.3-150200.3.10.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): libwebp-1.0.3-150200.3.10.1 SUSE Manager Proxy 4.2 (src): libwebp-1.0.3-150200.3.10.1 SUSE Manager Retail Branch Server 4.2 (src): libwebp-1.0.3-150200.3.10.1 SUSE Manager Server 4.2 (src): libwebp-1.0.3-150200.3.10.1 SUSE Enterprise Storage 7.1 (src): libwebp-1.0.3-150200.3.10.1 openSUSE Leap 15.4 (src): libwebp-1.0.3-150200.3.10.1 openSUSE Leap 15.5 (src): libwebp-1.0.3-150200.3.10.1 Basesystem Module 15-SP4 (src): libwebp-1.0.3-150200.3.10.1 Basesystem Module 15-SP5 (src): libwebp-1.0.3-150200.3.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
I was hoping to find the patched sources on build.o.o but they are not in SUSE:SLE-15-SP2:Update/libwebp: https://build.opensuse.org/package/show/SUSE:SLE-15-SP2:Update/libwebp
(In reply to Andreas Stieger from comment #35) > I was hoping to find the patched sources on build.o.o but they are not in > SUSE:SLE-15-SP2:Update/libwebp: > https://build.opensuse.org/package/show/SUSE:SLE-15-SP2:Update/libwebp we are currently working on backports for those older versions.
From comment #13 it seemed like this is the current version (1.0.3+), and given that there do not seem to be instantiations into later SPs, and it was last updated two months ago.
SUSE-SU-2023:3664-1: An update that solves 15 vulnerabilities can now be installed. Category: security (critical) Bug References: 1214606, 1215231, 1215245 CVE References: CVE-2023-4051, CVE-2023-4053, CVE-2023-4573, CVE-2023-4574, CVE-2023-4575, CVE-2023-4576, CVE-2023-4577, CVE-2023-4578, CVE-2023-4580, CVE-2023-4581, CVE-2023-4582, CVE-2023-4583, CVE-2023-4584, CVE-2023-4585, CVE-2023-4863 Sources used: SUSE Linux Enterprise Workstation Extension 15 SP5 (src): MozillaThunderbird-115.2.2-150200.8.130.1 openSUSE Leap 15.4 (src): MozillaThunderbird-115.2.2-150200.8.130.1 openSUSE Leap 15.5 (src): MozillaThunderbird-115.2.2-150200.8.130.1 SUSE Package Hub 15 15-SP4 (src): MozillaThunderbird-115.2.2-150200.8.130.1 SUSE Package Hub 15 15-SP5 (src): MozillaThunderbird-115.2.2-150200.8.130.1 SUSE Linux Enterprise Workstation Extension 15 SP4 (src): MozillaThunderbird-115.2.2-150200.8.130.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
https://build.opensuse.org/package/show/SUSE:SLE-15-SP2:Update/libwebp > Set link to libwebp.30649 via maintenance_release request thanks
Hi, I submitted https://build.suse.de/request/show/307777 for SLE-15 . I don't have a PoC file to test this fixes the issue, so I just tested that libwebp could still open webp files correctly. About the SLE-12-SP1 libwebp package, the source changes are far larger there so I'm still working on that.
reproducer claimed in https://blog.isosceles.com/the-webp-0day/ with https://raw.githubusercontent.com/mistymntncop/CVE-2023-4863/main/craft.c
*** Bug 1215715 has been marked as a duplicate of this bug. ***
SUSE-SU-2023:3794-1: An update that solves one vulnerability can now be installed. Category: security (critical) Bug References: 1215231 CVE References: CVE-2023-4863 Sources used: HPE Helion OpenStack 8 (src): libwebp-0.4.3-4.15.1 SUSE OpenStack Cloud 8 (src): libwebp-0.4.3-4.15.1 SUSE OpenStack Cloud 9 (src): libwebp-0.4.3-4.15.1 SUSE OpenStack Cloud Crowbar 8 (src): libwebp-0.4.3-4.15.1 SUSE OpenStack Cloud Crowbar 9 (src): libwebp-0.4.3-4.15.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): libwebp-0.4.3-4.15.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): libwebp-0.4.3-4.15.1 SUSE Linux Enterprise Server 12 SP5 (src): libwebp-0.4.3-4.15.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): libwebp-0.4.3-4.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3829-1: An update that solves one vulnerability can now be installed. Category: security (critical) Bug References: 1215231 CVE References: CVE-2023-4863 Sources used: openSUSE Leap 15.4 (src): libwebp-0.5.0-150000.3.14.1 SUSE Package Hub 15 15-SP4 (src): libwebp-0.5.0-150000.3.14.1 SUSE Package Hub 15 15-SP5 (src): libwebp-0.5.0-150000.3.14.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): libwebp-0.5.0-150000.3.14.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): libwebp-0.5.0-150000.3.14.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): libwebp-0.5.0-150000.3.14.1 SUSE Linux Enterprise Workstation Extension 15 SP4 (src): libwebp-0.5.0-150000.3.14.1 SUSE Linux Enterprise Workstation Extension 15 SP5 (src): libwebp-0.5.0-150000.3.14.1 SUSE CaaS Platform 4.0 (src): libwebp-0.5.0-150000.3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.