Bug 2238543

Summary: CVE-2023-4863: Heap buffer overflow in WebP
Product: [Fedora] Fedora Reporter: barsnick
Component: libwebpAssignee: Sandro Mani <manisandro>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: rawhideCC: awilliam, bdm, manisandro, mcatanza, pdwyer, saroy
Target Milestone: ---Keywords: Reopened, Security, VerifiedUpstream
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
Whiteboard:
Fixed In Version: libwebp-1.3.1-3.fc40 libwebp-1.3.1-3.fc38 libwebp-1.3.1-3.fc39 libwebp-1.3.1-3.fc37 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-15 19:54:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2238431, 2143445    

Description barsnick 2023-09-12 12:02:23 UTC 
This seems to be a critical bug in libwebp.

The Chrome release notes, as linked above, say:

> Google is aware that an exploit for CVE-2023-4863 exists in the wild.

(This exploit may only be valid for Chrome/Chromium, nut nevertheless, this is the component in question.)

According to
https://chromium.googlesource.com/chromium/src/+log/116.0.5845.179..116.0.5845.188?pretty=fuller&n=10000

the fix is in 6a319d4da..4619a48fc of libwebp, which means this commit is supposed to fix the issue:
https://github.com/webmproject/libwebp/commit/4619a48fc

This should be applied as a patch on top of 1.3.1, until a new release is available.

Reproducible: Always




Registered in Bugzilla as Chromium bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2238431
Comment 1 Fedora Update System 2023-09-13 08:34:26 UTC 
FEDORA-2023-d5faede1d6 has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2023-d5faede1d6
Comment 2 Fedora Update System 2023-09-13 09:55:17 UTC 
FEDORA-2023-f8319bd876 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f8319bd876
Comment 3 Fedora Update System 2023-09-13 09:55:18 UTC 
FEDORA-2023-c4fa8a204d has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-c4fa8a204d
Comment 4 Fedora Update System 2023-09-13 09:55:18 UTC 
FEDORA-2023-3388038193 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-3388038193
Comment 5 Fedora Update System 2023-09-13 10:16:37 UTC 
FEDORA-2023-d5faede1d6 has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 6 Michael Catanzaro 2023-09-13 22:29:03 UTC 
Reopening to request freeze exception
Comment 7 Fedora Blocker Bugs Application 2023-09-13 22:29:13 UTC 
Proposed as a Freeze Exception for 39-beta by Fedora user catanzaro using the blocker tracking app because:

 This webp security update is important and should not be blocked until beta freeze has ended.
Comment 8 Fedora Update System 2023-09-14 01:46:45 UTC 
FEDORA-2023-f8319bd876 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-f8319bd876`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-f8319bd876

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2023-09-14 01:55:10 UTC 
FEDORA-2023-c4fa8a204d has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-c4fa8a204d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-c4fa8a204d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2023-09-14 02:34:23 UTC 
FEDORA-2023-3388038193 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-3388038193`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-3388038193

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Michael Catanzaro 2023-09-14 14:40:28 UTC 
*** Bug 2238951 has been marked as a duplicate of this bug. ***
Comment 12 Fedora Update System 2023-09-15 01:42:27 UTC 
FEDORA-2023-c4fa8a204d has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 13 Michael Catanzaro 2023-09-15 11:27:38 UTC 
Reopening again for freeze exception
Comment 14 Adam Williamson 2023-09-15 17:23:49 UTC 
The FE process is not in play any more since Beta is signed off. This will just go whenever the freeze is lifted.
Comment 15 Michael Catanzaro 2023-09-15 19:02:24 UTC 
Sigh...
Comment 16 Adam Williamson 2023-09-15 19:15:26 UTC 
It can still be ON_QA, I was just explaining that the FE process isn't involved any more :D
Comment 17 Fedora Update System 2023-09-15 19:54:20 UTC 
FEDORA-2023-f8319bd876 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 18 Fedora Update System 2023-09-16 01:40:55 UTC 
FEDORA-2023-3388038193 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.