This was reported today: https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/ "Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild."
looks like firefox was taken care of here: https://cgit.freebsd.org/ports/commit/?id=b3229433aa825a4b309fca69c13c06c31fea896d and thunderbird was updated here: https://cgit.freebsd.org/ports/commit/?id=b3229433aa825a4b309fca69c13c06c31fea896d
It is not fixed. Firefox uses external webp library on FreeBSD.
Created attachment 244850 [details] webp 1.3.2
https://groups.google.com/a/webmproject.org/g/webp-discuss/c/YhVFA45DVfM
Created attachment 244919 [details] Patch for webp Update (lib)webp to 1.3.2 and switch to CMake for faster builds and .cmake files for other projects Import following patches from Fedora: https://src.fedoraproject.org/rpms/libwebp/blob/rawhide/f/libwebp-cmakedir.patch https://src.fedoraproject.org/rpms/libwebp/blob/rawhide/f/libwebp-freeglut.patch https://src.fedoraproject.org/rpms/libwebp/blob/rawhide/f/libwebp-rpath.patch Compile tested on FreeBSD 13.2-RELEASE (amd64) (make, make check-plist) Poudriere testport OK 12.4-RELEASE (amd64) Poudriere testport OK 13.2-RELEASE (amd64) Tested with following consumers in 13.2-RELEASE (amd64) using Poudriere: comms/xastir devel/allegro5 devel/cvsgraph devel/efl devel/electron22 devel/electron23 devel/electron24 devel/electron25 devel/smooth editors/emacs editors/emacs-devel editors/libreoffice editors/vscode games/naev games/netradiant games/taisei graphics/GraphicsMagick graphics/ImageMagick6 graphics/ImageMagick7 graphics/aseprite graphics/blender graphics/chafa graphics/darktable graphics/elementary-photos graphics/gd graphics/gdal graphics/geeqie graphics/gegl graphics/gimp-app graphics/graphviz graphics/gstreamer1-plugins-webp graphics/gthumb graphics/imageworsener graphics/imlib2 graphics/imlib2-webp (fails, conflicts with imlib2) - Unrelated graphics/krita graphics/leptonica graphics/libheif graphics/librasterlite2 graphics/maim graphics/mapnik graphics/mscgen graphics/mtpaint graphics/nsxiv graphics/opencv graphics/openimageio graphics/osgearth graphics/py-openimageio graphics/py-pillow graphics/qt5-imageformats graphics/qt6-imageformats graphics/realesrgan-ncnn-vulkan graphics/realsr-ncnn-vulkan graphics/sdl2_image graphics/sdl_image graphics/simple-scan graphics/simpleviewer graphics/vips graphics/waifu2x-ncnn-vulkan graphics/webp-pixbuf-loader japanese/gd mail/thunderbird math/gnuplot math/sage (configure: error: You do not have a suitable version of Python installed) - Unrelated multimedia/emby-server multimedia/emby-server-devel multimedia/ffmpeg multimedia/ffmpeg4 multimedia/gstreamer1-plugins-rust multimedia/motion (fails to compile with current version of webp in tree) - Unrelated to this change net/guacamole-server net-im/ejabberd net-im/signal-desktop net-im/telegram-purple net-mgmt/driftnet russian/gd science/octopus textproc/obsidian ukrainian/gd www/chromium www/firefox www/firefox-esr www/gohugo www/iridium www/lagrange www/librewolf www/links www/netsurf www/qt5-webengine www/qt5-webkit www/qt6-webengine www/tor-browser www/ungoogled-chromium www/webkit2-gtk3 www/webkit2-gtk4 x11/eaglemode x11/swayimg x11/xpra (fails, requires pandoc with lua support) - Unrelated x11-toolkits/fox17 x11-toolkits/p5-Prima x11-wm/libwraster x11-wm/windowmaker
*** Bug 273832 has been marked as a duplicate of this bug. ***
I think that the ports system need some changes. Multi maintainers per port or security team that can patch/update ports without maintainer's approval. Maintainers are people and people can be busy. But we should not leave users vulnerable like this.
(In reply to Oleh Hushchenkov from comment #7) We already have a Ports Security Team (ports-secteam@FreeBSD.org) and they have been notified of this PR.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=8005c3565d0bbf76a3e7d6751156c7de979dddb7 commit 8005c3565d0bbf76a3e7d6751156c7de979dddb7 Author: Tijl Coosemans <tijl@FreeBSD.org> AuthorDate: 2023-09-14 18:40:31 +0000 Commit: Tijl Coosemans <tijl@FreeBSD.org> CommitDate: 2023-09-21 08:24:31 +0000 graphics/webp: Update to 1.3.2 PR: 273766 Security: CVE-2023-4863 graphics/webp/Makefile | 3 +-- graphics/webp/distinfo | 6 +++--- graphics/webp/pkg-plist | 8 ++++---- 3 files changed, 8 insertions(+), 9 deletions(-)
A week is way too long for a critical vulnerability that is known to be exploited so I've taken the liberty to commit my patch. I'll leave the bug open for the maintainer to look into diizzy's patch.
A commit in branch 2023Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=d1ce1dbba0b1289b5518d366793077ea7a7df1ed commit d1ce1dbba0b1289b5518d366793077ea7a7df1ed Author: Tijl Coosemans <tijl@FreeBSD.org> AuthorDate: 2023-09-14 18:40:31 +0000 Commit: Tijl Coosemans <tijl@FreeBSD.org> CommitDate: 2023-09-21 08:52:03 +0000 graphics/webp: Update to 1.3.2 PR: 273766 Security: CVE-2023-4863 (cherry picked from commit 8005c3565d0bbf76a3e7d6751156c7de979dddb7) graphics/webp/Makefile | 2 +- graphics/webp/distinfo | 6 +++--- graphics/webp/pkg-plist | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-)
Thanks for updating the port! Should the patch for "build webp using cmake" be moved to a separate issue and close this one? Just to separate critical stuff from "normal" enhancements.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=57055cf99dd10c2029360eab869ecf0ba88e72ad commit 57055cf99dd10c2029360eab869ecf0ba88e72ad Author: Ronald Klop <ronald@FreeBSD.org> AuthorDate: 2023-09-21 09:31:22 +0000 Commit: Ronald Klop <ronald@FreeBSD.org> CommitDate: 2023-09-21 09:31:22 +0000 security/vuxml: add graphics/webp heap buffer overflow graphics/webp was updated to 1.3.2 PR: 273766 Security: CVE-2023-4863 security/vuxml/vuln/2023.xml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+)
(In reply to Ronald Klop from comment #12) There's already bug 273832, currently closed as a duplicate of this bug.
I merged because I did a mini exp-run and there was no mention about it from Tijl, but it would be a nice if we could merge it as well.
I will not use cmake for such tiny library. cmake is heavy. It brings no benefit in this case.
(In reply to Po-Chuan Hsieh from comment #16) Can you elaborate on this? You have both reverse dependency by at least libpng and 20+ direct consumers that utilizes CMake. Build times on my Tigerlake laptop show that it's quite a bit faster too: ====> Running Q/A tests (stage-qa) 18.08s real 58.16s user 9.79s sys ====> Running Q/A tests (stage-qa) 7.90s real 34.34s user 2.25s sys