[OE-core][kirkstone 0/3] Patch review

[OE-core][kirkstone 0/3] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, October 2

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6124

The following changes since commit 56503e3e80603de3b69acef2f6d32836bc9e5e5d:

  linux-firmware: create separate packages (2023-10-29 06:30:03 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Peter Marko (1):
  libxml2: Patch CVE-2023-45322

Soumya Sambu (1):
  libwebp: Fix CVE-2023-4863

Vijay Anusuri (1):
  tiff: CVE patch correction for CVE-2023-3576

 .../libxml/libxml2/CVE-2023-45322-1.patch     | 49 ++++++++++++
 .../libxml/libxml2/CVE-2023-45322-2.patch     | 79 +++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.14.bb    |  2 +
 ...-2023-3618-1.patch => CVE-2023-3576.patch} |  3 +-
 ...-2023-3618-2.patch => CVE-2023-3618.patch} |  0
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |  4 +-
 .../webp/files/CVE-2023-4863.patch            | 53 +++++++++++++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
 8 files changed, 188 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
 rename meta/recipes-multimedia/libtiff/tiff/{CVE-2023-3618-1.patch => CVE-2023-3576.patch} (93%)
 rename meta/recipes-multimedia/libtiff/tiff/{CVE-2023-3618-2.patch => CVE-2023-3618.patch} (100%)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch

-- 
2.34.1

[OE-core][kirkstone 1/3] libxml2: Patch CVE-2023-45322

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Backport patch for gitlab issue mentioned in NVD CVE report.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
Backport also one of 14 patches for older issue with similar errors
to have clean cherry-pick without patch fuzz.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/344

The CVE is disputed because the maintainer does not think that
errors after memory allocation failures are not critical enough
to warrant a CVE ID.
This patch will formally fix reported error case, trying to backport
another 13 patches and resolve conflicts would be probably overkill
due to disputed state.
This CVE was ignored on master branch (as diputed).

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libxml/libxml2/CVE-2023-45322-1.patch     | 49 ++++++++++++
 .../libxml/libxml2/CVE-2023-45322-2.patch     | 79 +++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.14.bb    |  2 +
 3 files changed, 130 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
new file mode 100644
index 0000000000..5f1cb72534
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
@@ -0,0 +1,49 @@
+From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 2 Nov 2022 15:44:42 +0100
+Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList
+
+Found with libFuzzer, see #344.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ tree.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 507869efe..647288ce3 100644
+--- a/tree.c
++++ b/tree.c
+@@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+ 	    }
+ 	    if (doc->intSubset == NULL) {
+ 		q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-		if (q == NULL) return(NULL);
++		if (q == NULL) goto error;
+ 		q->doc = doc;
+ 		q->parent = parent;
+ 		doc->intSubset = (xmlDtdPtr) q;
+@@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+ 	} else
+ #endif /* LIBXML_TREE_ENABLED */
+ 	    q = xmlStaticCopyNode(node, doc, parent, 1);
+-	if (q == NULL) return(NULL);
++	if (q == NULL) goto error;
+ 	if (ret == NULL) {
+ 	    q->prev = NULL;
+ 	    ret = p = q;
+@@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+ 	node = node->next;
+     }
+     return(ret);
++error:
++    xmlFreeNodeList(ret);
++    return(NULL);
+ }
+ 
+ /**
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
new file mode 100644
index 0000000000..845fd70c66
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,79 @@
+From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 23 Aug 2023 20:24:24 +0200
+Subject: [PATCH] tree: Fix copying of DTDs
+
+- Don't create multiple DTD nodes.
+- Fix UAF if malloc fails.
+- Skip DTD nodes if tree module is disabled.
+
+Fixes #583.
+
+CVE: CVE-2023-45322
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ tree.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 6c8a875b9..02c1b5791 100644
+--- a/tree.c
++++ b/tree.c
+@@ -4471,29 +4471,28 @@ xmlNodePtr
+ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+     xmlNodePtr ret = NULL;
+     xmlNodePtr p = NULL,q;
++    xmlDtdPtr newSubset = NULL;
+ 
+     while (node != NULL) {
+-#ifdef LIBXML_TREE_ENABLED
+ 	if (node->type == XML_DTD_NODE ) {
+-	    if (doc == NULL) {
++#ifdef LIBXML_TREE_ENABLED
++	    if ((doc == NULL) || (doc->intSubset != NULL)) {
+ 		node = node->next;
+ 		continue;
+ 	    }
+-	    if (doc->intSubset == NULL) {
+-		q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-		if (q == NULL) goto error;
+-		q->doc = doc;
+-		q->parent = parent;
+-		doc->intSubset = (xmlDtdPtr) q;
+-		xmlAddChild(parent, q);
+-	    } else {
+-		q = (xmlNodePtr) doc->intSubset;
+-		xmlAddChild(parent, q);
+-	    }
+-	} else
++            q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
++            if (q == NULL) goto error;
++            q->doc = doc;
++            q->parent = parent;
++            newSubset = (xmlDtdPtr) q;
++#else
++            node = node->next;
++            continue;
+ #endif /* LIBXML_TREE_ENABLED */
++	} else {
+ 	    q = xmlStaticCopyNode(node, doc, parent, 1);
+-	if (q == NULL) goto error;
++	    if (q == NULL) goto error;
++        }
+ 	if (ret == NULL) {
+ 	    q->prev = NULL;
+ 	    ret = p = q;
+@@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+ 	}
+ 	node = node->next;
+     }
++    if (newSubset != NULL)
++        doc->intSubset = newSubset;
+     return(ret);
+ error:
+     xmlFreeNodeList(ret);
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index 437bccf4ed..533a6dae01 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -29,6 +29,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
            file://CVE-2023-29469.patch \
            file://CVE-2023-39615-0001.patch \
            file://CVE-2023-39615-0002.patch \
+           file://CVE-2023-45322-1.patch \
+           file://CVE-2023-45322-2.patch \
            "
 
 SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
-- 
2.34.1

[OE-core][kirkstone 2/3] tiff: CVE patch correction for CVE-2023-3576

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

- The commit [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
fixes CVE-2023-3576
- Hence, renamed the CVE-2023-3618-1.patch to CVE-2023-3576.patch
- Reference: https://security-tracker.debian.org/tracker/CVE-2023-3576
             https://security-tracker.debian.org/tracker/CVE-2023-3618

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../tiff/{CVE-2023-3618-1.patch => CVE-2023-3576.patch}       | 3 ++-
 .../tiff/{CVE-2023-3618-2.patch => CVE-2023-3618.patch}       | 0
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb                 | 4 ++--
 3 files changed, 4 insertions(+), 3 deletions(-)
 rename meta/recipes-multimedia/libtiff/tiff/{CVE-2023-3618-1.patch => CVE-2023-3576.patch} (93%)
 rename meta/recipes-multimedia/libtiff/tiff/{CVE-2023-3618-2.patch => CVE-2023-3618.patch} (100%)

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3576.patch
similarity index 93%
rename from meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch
rename to meta/recipes-multimedia/libtiff/tiff/CVE-2023-3576.patch
index 8f55d2b496..b17dd72170 100644
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3576.patch
@@ -4,8 +4,9 @@ Date: Tue, 7 Mar 2023 15:02:08 +0800
 Subject: [PATCH] Fix memory leak in tiffcrop.c
 
 Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
-CVE: CVE-2023-3618
+CVE: CVE-2023-3576
 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
 ---
  tools/tiffcrop.c | 7 ++++++-
  1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618.patch
similarity index 100%
rename from meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-2.patch
rename to meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 8dcd73273e..e925b7d652 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -40,8 +40,8 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2023-26965.patch \
            file://CVE-2023-2908.patch \
            file://CVE-2023-3316.patch \
-           file://CVE-2023-3618-1.patch \
-           file://CVE-2023-3618-2.patch \
+           file://CVE-2023-3576.patch \
+           file://CVE-2023-3618.patch \
            file://CVE-2023-26966.patch \
            file://CVE-2022-40090.patch \
            file://CVE-2023-1916.patch \
-- 
2.34.1

[OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863

[Steve Sakoman]

From: Soumya Sambu <soumya.sambu@windriver.com>

Heap buffer overflow in WebP in Google Chrome prior to
116.0.5845.187 allowed a remote attacker to perform an
out of bounds memory write via a crafted HTML page.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/tracker/CVE-2023-4863
https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../webp/files/CVE-2023-4863.patch            | 53 +++++++++++++++++++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
new file mode 100644
index 0000000000..2b1817822c
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
@@ -0,0 +1,53 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud <vrabaud@google.com>
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH] Fix invalid incremental decoding check.
+
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+
+BUG=oss-fuzz:62136
+
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+
+CVE: CVE-2023-4863
+
+Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/dec/vp8l_dec.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 186b0b2..59a9e64 100644
+--- a/src/dec/vp8l_dec.c
++++ b/src/dec/vp8l_dec.c
+@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
+   }
+
+   br->eos_ = VP8LIsEndOfStream(br);
+-  if (dec->incremental_ && br->eos_ && src < src_end) {
++  // In incremental decoding:
++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
++  // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
++  // be reset until there is more data.
++  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
++  // fully read, either enough has been read to reach 'src_last'.
++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
++  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
++  // The buffer might have been enough or there is some left. 'br->eos_' does
++  // not matter.
++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
++  if (dec->incremental_ && br->eos_ && src < src_last) {
+     RestoreState(dec);
+-  } else if (!br->eos_) {
++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
+     // Process the remaining rows corresponding to last row-block.
+     if (process_func != NULL) {
+       process_func(dec, row > last_row ? last_row : row);
+--
+2.40.0
diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
index 4defdd5e42..0728ca60f5 100644
--- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
+++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
@@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
 SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
            file://CVE-2023-1999.patch \
            file://CVE-2023-5129.patch \
+           file://CVE-2023-4863.patch \
            "
 SRC_URI[sha256sum] = "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
 
-- 
2.34.1

Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 5236 bytes --]

I'm surprised this one does apply in kirkstone as there is this security
issue already fixed as 2023-5129 (see dunfell commit
https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=7dce529515baa843ba3e5c89b2ad605b9845c59b
and
a bit more details in
https://lists.openembedded.org/g/openembedded-core/message/189262 )

Is
https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520
really related to CVE-2023-4863 ?

On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman <steve@sakoman.com> wrote:

> From: Soumya Sambu <soumya.sambu@windriver.com>
>
> Heap buffer overflow in WebP in Google Chrome prior to
> 116.0.5845.187 allowed a remote attacker to perform an
> out of bounds memory write via a crafted HTML page.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-4863
> https://security-tracker.debian.org/tracker/CVE-2023-4863
> https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12
>
> Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  .../webp/files/CVE-2023-4863.patch            | 53 +++++++++++++++++++
>  meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
>  2 files changed, 54 insertions(+)
>  create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
>
> diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> new file mode 100644
> index 0000000000..2b1817822c
> --- /dev/null
> +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> @@ -0,0 +1,53 @@
> +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
> +From: Vincent Rabaud <vrabaud@google.com>
> +Date: Mon, 11 Sep 2023 16:06:08 +0200
> +Subject: [PATCH] Fix invalid incremental decoding check.
> +
> +The first condition is only necessary if we have not read enough
> +(enough being defined by src_last, not src_end which is the end
> +of the image).
> +The second condition now fits the comment below: "if not
> +incremental, and we are past the end of buffer".
> +
> +BUG=oss-fuzz:62136
> +
> +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
> +
> +CVE: CVE-2023-4863
> +
> +Upstream-Status: Backport [
> https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520
> ]
> +
> +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
> +---
> + src/dec/vp8l_dec.c | 15 +++++++++++++--
> + 1 file changed, 13 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
> +index 186b0b2..59a9e64 100644
> +--- a/src/dec/vp8l_dec.c
> ++++ b/src/dec/vp8l_dec.c
> +@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec,
> uint32_t* const data,
> +   }
> +
> +   br->eos_ = VP8LIsEndOfStream(br);
> +-  if (dec->incremental_ && br->eos_ && src < src_end) {
> ++  // In incremental decoding:
> ++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer
> and
> ++  // 'src_last' has not been reached yet, there is not enough data.
> 'dec' has to
> ++  // be reset until there is more data.
> ++  // !br->eos_ && src < src_last: this cannot happen as either the
> buffer is
> ++  // fully read, either enough has been read to reach 'src_last'.
> ++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can
> actually go
> ++  // beyond 'src_last' in case the image is cropped and an LZ77 goes
> further.
> ++  // The buffer might have been enough or there is some left. 'br->eos_'
> does
> ++  // not matter.
> ++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >=
> src_last);
> ++  if (dec->incremental_ && br->eos_ && src < src_last) {
> +     RestoreState(dec);
> +-  } else if (!br->eos_) {
> ++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
> +     // Process the remaining rows corresponding to last row-block.
> +     if (process_func != NULL) {
> +       process_func(dec, row > last_row ? last_row : row);
> +--
> +2.40.0
> diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> index 4defdd5e42..0728ca60f5 100644
> --- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> +++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM =
> "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
>  SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
>             file://CVE-2023-1999.patch \
>             file://CVE-2023-5129.patch \
> +           file://CVE-2023-4863.patch \
>             "
>  SRC_URI[sha256sum] =
> "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
>
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#189873):
> https://lists.openembedded.org/g/openembedded-core/message/189873
> Mute This Topic: https://lists.openembedded.org/mt/102307907/3617156
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> martin.jansa@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

[-- Attachment #2: Type: text/html, Size: 8030 bytes --]

Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863

[Steve Sakoman]

Thanks for reviewing Martin!

I'll drop this patch until there is further clarification on the need for it.

Steve

On Tue, Oct 31, 2023 at 1:39 PM Martin Jansa <martin.jansa@gmail.com> wrote:
>
> I'm surprised this one does apply in kirkstone as there is this security issue already fixed as 2023-5129 (see dunfell commit https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=7dce529515baa843ba3e5c89b2ad605b9845c59b and a bit more details in https://lists.openembedded.org/g/openembedded-core/message/189262 )
>
> Is https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520 really related to CVE-2023-4863 ?
>
> On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman <steve@sakoman.com> wrote:
>>
>> From: Soumya Sambu <soumya.sambu@windriver.com>
>>
>> Heap buffer overflow in WebP in Google Chrome prior to
>> 116.0.5845.187 allowed a remote attacker to perform an
>> out of bounds memory write via a crafted HTML page.
>>
>> References:
>> https://nvd.nist.gov/vuln/detail/CVE-2023-4863
>> https://security-tracker.debian.org/tracker/CVE-2023-4863
>> https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12
>>
>> Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
>> Signed-off-by: Steve Sakoman <steve@sakoman.com>
>> ---
>>  .../webp/files/CVE-2023-4863.patch            | 53 +++++++++++++++++++
>>  meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
>>  2 files changed, 54 insertions(+)
>>  create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
>>
>> diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
>> new file mode 100644
>> index 0000000000..2b1817822c
>> --- /dev/null
>> +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
>> @@ -0,0 +1,53 @@
>> +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
>> +From: Vincent Rabaud <vrabaud@google.com>
>> +Date: Mon, 11 Sep 2023 16:06:08 +0200
>> +Subject: [PATCH] Fix invalid incremental decoding check.
>> +
>> +The first condition is only necessary if we have not read enough
>> +(enough being defined by src_last, not src_end which is the end
>> +of the image).
>> +The second condition now fits the comment below: "if not
>> +incremental, and we are past the end of buffer".
>> +
>> +BUG=oss-fuzz:62136
>> +
>> +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
>> +
>> +CVE: CVE-2023-4863
>> +
>> +Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
>> +
>> +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
>> +---
>> + src/dec/vp8l_dec.c | 15 +++++++++++++--
>> + 1 file changed, 13 insertions(+), 2 deletions(-)
>> +
>> +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
>> +index 186b0b2..59a9e64 100644
>> +--- a/src/dec/vp8l_dec.c
>> ++++ b/src/dec/vp8l_dec.c
>> +@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
>> +   }
>> +
>> +   br->eos_ = VP8LIsEndOfStream(br);
>> +-  if (dec->incremental_ && br->eos_ && src < src_end) {
>> ++  // In incremental decoding:
>> ++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
>> ++  // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
>> ++  // be reset until there is more data.
>> ++  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
>> ++  // fully read, either enough has been read to reach 'src_last'.
>> ++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
>> ++  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
>> ++  // The buffer might have been enough or there is some left. 'br->eos_' does
>> ++  // not matter.
>> ++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
>> ++  if (dec->incremental_ && br->eos_ && src < src_last) {
>> +     RestoreState(dec);
>> +-  } else if (!br->eos_) {
>> ++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
>> +     // Process the remaining rows corresponding to last row-block.
>> +     if (process_func != NULL) {
>> +       process_func(dec, row > last_row ? last_row : row);
>> +--
>> +2.40.0
>> diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
>> index 4defdd5e42..0728ca60f5 100644
>> --- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
>> +++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
>> @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
>>  SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
>>             file://CVE-2023-1999.patch \
>>             file://CVE-2023-5129.patch \
>> +           file://CVE-2023-4863.patch \
>>             "
>>  SRC_URI[sha256sum] = "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
>>
>> --
>> 2.34.1
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#189873): https://lists.openembedded.org/g/openembedded-core/message/189873
>> Mute This Topic: https://lists.openembedded.org/mt/102307907/3617156
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [martin.jansa@gmail.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>

Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863

[Sambu, Soumya]

[-- Attachment #1: Type: text/plain, Size: 6068 bytes --]

Hi Martin, Steve,

Debian has mentioned https://chromium.googlesource.com/webm/libwebp.git/+/95ea5226c870449522240ccff26f0b006037c520%5E%21/#F0 as followup commit for CVE-2023-4863 [Reference: https://security-tracker.debian.org/tracker/CVE-2023-4863].

This commit was suggested in Bugzilla SUSE as well - https://bugzilla.suse.com/show_bug.cgi?id=1215231#c13

Regards,
Soumya
________________________________
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> on behalf of Steve Sakoman via lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
Sent: Wednesday, November 1, 2023 7:21 PM
To: Martin Jansa <martin.jansa@gmail.com>
Cc: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know the content is safe.

Thanks for reviewing Martin!

I'll drop this patch until there is further clarification on the need for it.

Steve

On Tue, Oct 31, 2023 at 1:39 PM Martin Jansa <martin.jansa@gmail.com> wrote:
>
> I'm surprised this one does apply in kirkstone as there is this security issue already fixed as 2023-5129 (see dunfell commit https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=7dce529515baa843ba3e5c89b2ad605b9845c59b and a bit more details in https://lists.openembedded.org/g/openembedded-core/message/189262 )
>
> Is https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520 really related to CVE-2023-4863 ?
>
> On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman <steve@sakoman.com> wrote:
>>
>> From: Soumya Sambu <soumya.sambu@windriver.com>
>>
>> Heap buffer overflow in WebP in Google Chrome prior to
>> 116.0.5845.187 allowed a remote attacker to perform an
>> out of bounds memory write via a crafted HTML page.
>>
>> References:
>> https://nvd.nist.gov/vuln/detail/CVE-2023-4863
>> https://security-tracker.debian.org/tracker/CVE-2023-4863
>> https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12
>>
>> Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
>> Signed-off-by: Steve Sakoman <steve@sakoman.com>
>> ---
>>  .../webp/files/CVE-2023-4863.patch            | 53 +++++++++++++++++++
>>  meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
>>  2 files changed, 54 insertions(+)
>>  create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
>>
>> diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
>> new file mode 100644
>> index 0000000000..2b1817822c
>> --- /dev/null
>> +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
>> @@ -0,0 +1,53 @@
>> +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
>> +From: Vincent Rabaud <vrabaud@google.com>
>> +Date: Mon, 11 Sep 2023 16:06:08 +0200
>> +Subject: [PATCH] Fix invalid incremental decoding check.
>> +
>> +The first condition is only necessary if we have not read enough
>> +(enough being defined by src_last, not src_end which is the end
>> +of the image).
>> +The second condition now fits the comment below: "if not
>> +incremental, and we are past the end of buffer".
>> +
>> +BUG=oss-fuzz:62136
>> +
>> +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
>> +
>> +CVE: CVE-2023-4863
>> +
>> +Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
>> +
>> +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
>> +---
>> + src/dec/vp8l_dec.c | 15 +++++++++++++--
>> + 1 file changed, 13 insertions(+), 2 deletions(-)
>> +
>> +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
>> +index 186b0b2..59a9e64 100644
>> +--- a/src/dec/vp8l_dec.c
>> ++++ b/src/dec/vp8l_dec.c
>> +@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
>> +   }
>> +
>> +   br->eos_ = VP8LIsEndOfStream(br);
>> +-  if (dec->incremental_ && br->eos_ && src < src_end) {
>> ++  // In incremental decoding:
>> ++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
>> ++  // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
>> ++  // be reset until there is more data.
>> ++  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
>> ++  // fully read, either enough has been read to reach 'src_last'.
>> ++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
>> ++  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
>> ++  // The buffer might have been enough or there is some left. 'br->eos_' does
>> ++  // not matter.
>> ++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
>> ++  if (dec->incremental_ && br->eos_ && src < src_last) {
>> +     RestoreState(dec);
>> +-  } else if (!br->eos_) {
>> ++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
>> +     // Process the remaining rows corresponding to last row-block.
>> +     if (process_func != NULL) {
>> +       process_func(dec, row > last_row ? last_row : row);
>> +--
>> +2.40.0
>> diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
>> index 4defdd5e42..0728ca60f5 100644
>> --- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
>> +++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
>> @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
>>  SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
>>             file://CVE-2023-1999.patch \
>>             file://CVE-2023-5129.patch \
>> +           file://CVE-2023-4863.patch \
>>             "
>>  SRC_URI[sha256sum] = "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
>>
>> --
>> 2.34.1
>>
>>
>>
>>

[-- Attachment #2: Type: text/html, Size: 9980 bytes --]

Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 6773 bytes --]

On Thu, Nov 2, 2023 at 7:57 AM Sambu, Soumya <Soumya.Sambu@windriver.com>
wrote:

> Hi Martin, Steve,
>
> Debian has mentioned
> https://chromium.googlesource.com/webm/libwebp.git/+/95ea5226c870449522240ccff26f0b006037c520%5E%21/#F0 as
> followup commit for CVE-2023-4863 [Reference:
> https://security-tracker.debian.org/tracker/CVE-2023-4863].
>
> This commit was suggested in Bugzilla SUSE as well -
> https://bugzilla.suse.com/show_bug.cgi?id=1215231#c13
>

Aha, thanks for this information, can you please make sure that all
supported branches receive this additional commit (preferably in less
confusing set of .patch files, e.g. apply both from CVE-2023-4863.patch and
remove CVE-2023-5129.patch)?


>
> Regards,
> Soumya
> ------------------------------
> *From:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org> on behalf of Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> *Sent:* Wednesday, November 1, 2023 7:21 PM
> *To:* Martin Jansa <martin.jansa@gmail.com>
> *Cc:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org>
> *Subject:* Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863
>
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and
> know the content is safe.
>
> Thanks for reviewing Martin!
>
> I'll drop this patch until there is further clarification on the need for
> it.
>
> Steve
>
> On Tue, Oct 31, 2023 at 1:39 PM Martin Jansa <martin.jansa@gmail.com>
> wrote:
> >
> > I'm surprised this one does apply in kirkstone as there is this security
> issue already fixed as 2023-5129 (see dunfell commit
> https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=7dce529515baa843ba3e5c89b2ad605b9845c59b
> and a bit more details in
> https://lists.openembedded.org/g/openembedded-core/message/189262 )
> >
> > Is
> https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520
> really related to CVE-2023-4863 ?
> >
> > On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman <steve@sakoman.com>
> wrote:
> >>
> >> From: Soumya Sambu <soumya.sambu@windriver.com>
> >>
> >> Heap buffer overflow in WebP in Google Chrome prior to
> >> 116.0.5845.187 allowed a remote attacker to perform an
> >> out of bounds memory write via a crafted HTML page.
> >>
> >> References:
> >> https://nvd.nist.gov/vuln/detail/CVE-2023-4863
> >> https://security-tracker.debian.org/tracker/CVE-2023-4863
> >> https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12
> >>
> >> Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
> >> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> >> ---
> >>  .../webp/files/CVE-2023-4863.patch            | 53 +++++++++++++++++++
> >>  meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  1 +
> >>  2 files changed, 54 insertions(+)
> >>  create mode 100644
> meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> >>
> >> diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> >> new file mode 100644
> >> index 0000000000..2b1817822c
> >> --- /dev/null
> >> +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
> >> @@ -0,0 +1,53 @@
> >> +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
> >> +From: Vincent Rabaud <vrabaud@google.com>
> >> +Date: Mon, 11 Sep 2023 16:06:08 +0200
> >> +Subject: [PATCH] Fix invalid incremental decoding check.
> >> +
> >> +The first condition is only necessary if we have not read enough
> >> +(enough being defined by src_last, not src_end which is the end
> >> +of the image).
> >> +The second condition now fits the comment below: "if not
> >> +incremental, and we are past the end of buffer".
> >> +
> >> +BUG=oss-fuzz:62136
> >> +
> >> +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
> >> +
> >> +CVE: CVE-2023-4863
> >> +
> >> +Upstream-Status: Backport [
> https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520
> ]
> >> +
> >> +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
> >> +---
> >> + src/dec/vp8l_dec.c | 15 +++++++++++++--
> >> + 1 file changed, 13 insertions(+), 2 deletions(-)
> >> +
> >> +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
> >> +index 186b0b2..59a9e64 100644
> >> +--- a/src/dec/vp8l_dec.c
> >> ++++ b/src/dec/vp8l_dec.c
> >> +@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const
> dec, uint32_t* const data,
> >> +   }
> >> +
> >> +   br->eos_ = VP8LIsEndOfStream(br);
> >> +-  if (dec->incremental_ && br->eos_ && src < src_end) {
> >> ++  // In incremental decoding:
> >> ++  // br->eos_ && src < src_last: if 'br' reached the end of the
> buffer and
> >> ++  // 'src_last' has not been reached yet, there is not enough data.
> 'dec' has to
> >> ++  // be reset until there is more data.
> >> ++  // !br->eos_ && src < src_last: this cannot happen as either the
> buffer is
> >> ++  // fully read, either enough has been read to reach 'src_last'.
> >> ++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can
> actually go
> >> ++  // beyond 'src_last' in case the image is cropped and an LZ77 goes
> further.
> >> ++  // The buffer might have been enough or there is some left.
> 'br->eos_' does
> >> ++  // not matter.
> >> ++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >=
> src_last);
> >> ++  if (dec->incremental_ && br->eos_ && src < src_last) {
> >> +     RestoreState(dec);
> >> +-  } else if (!br->eos_) {
> >> ++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
> >> +     // Process the remaining rows corresponding to last row-block.
> >> +     if (process_func != NULL) {
> >> +       process_func(dec, row > last_row ? last_row : row);
> >> +--
> >> +2.40.0
> >> diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> >> index 4defdd5e42..0728ca60f5 100644
> >> --- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> >> +++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
> >> @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb
> \
> >>  SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz
> \
> >>             file://CVE-2023-1999.patch \
> >>             file://CVE-2023-5129.patch \
> >> +           file://CVE-2023-4863.patch \
> >>             "
> >>  SRC_URI[sha256sum] =
> "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
> >>
> >> --
> >> 2.34.1
> >>
> >>
> >>
> >>
>

[-- Attachment #2: Type: text/html, Size: 11755 bytes --]

Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863

[Sambu, Soumya]

[-- Attachment #1: Type: text/plain, Size: 10787 bytes --]

Sure Martin.

Regards,
Soumya
________________________________
From: Martin Jansa <martin.jansa@gmail.com>
Sent: Thursday, November 2, 2023 12:35 PM
To: Sambu, Soumya <Soumya.Sambu@windriver.com>
Cc: steve@sakoman.com <steve@sakoman.com>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know the content is safe.
On Thu, Nov 2, 2023 at 7:57 AM Sambu, Soumya <Soumya.Sambu@windriver.com<mailto:Soumya.Sambu@windriver.com>> wrote:
Hi Martin, Steve,

Debian has mentioned https://chromium.googlesource.com/webm/libwebp.git/+/95ea5226c870449522240ccff26f0b006037c520%5E%21/#F0<https://urldefense.com/v3/__https://chromium.googlesource.com/webm/libwebp.git/*/95ea5226c870449522240ccff26f0b006037c520*5E*21/*F0__;KyUlIw!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZES2_uY8Fc$> as followup commit for CVE-2023-4863 [Reference: https://security-tracker.debian.org/tracker/CVE-2023-4863<https://urldefense.com/v3/__https://security-tracker.debian.org/tracker/CVE-2023-4863__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESjF4z9k0$>].

This commit was suggested in Bugzilla SUSE as well - https://bugzilla.suse.com/show_bug.cgi?id=1215231#c13<https://urldefense.com/v3/__https://bugzilla.suse.com/show_bug.cgi?id=1215231*c13__;Iw!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESlK1lfDg$>

Aha, thanks for this information, can you please make sure that all supported branches receive this additional commit (preferably in less confusing set of .patch files, e.g. apply both from CVE-2023-4863.patch and remove CVE-2023-5129.patch)?



Regards,
Soumya
________________________________
From: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>> on behalf of Steve Sakoman via lists.openembedded.org<https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESh49m9Ao$> <steve=sakoman.com@lists.openembedded.org<mailto:sakoman.com@lists.openembedded.org>>
Sent: Wednesday, November 1, 2023 7:21 PM
To: Martin Jansa <martin.jansa@gmail.com<mailto:martin.jansa@gmail.com>>
Cc: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>>
Subject: Re: [OE-core][kirkstone 3/3] libwebp: Fix CVE-2023-4863

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know the content is safe.

Thanks for reviewing Martin!

I'll drop this patch until there is further clarification on the need for it.

Steve

On Tue, Oct 31, 2023 at 1:39 PM Martin Jansa <martin.jansa@gmail.com<mailto:martin.jansa@gmail.com>> wrote:
>
> I'm surprised this one does apply in kirkstone as there is this security issue already fixed as 2023-5129 (see dunfell commit https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=7dce529515baa843ba3e5c89b2ad605b9845c59b<https://urldefense.com/v3/__https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=7dce529515baa843ba3e5c89b2ad605b9845c59b__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZEScr20Fek$> and a bit more details in https://lists.openembedded.org/g/openembedded-core/message/189262<https://urldefense.com/v3/__https://lists.openembedded.org/g/openembedded-core/message/189262__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESjPybAj8$> )
>
> Is https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520<https://urldefense.com/v3/__https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESSSDnB1o$> really related to CVE-2023-4863 ?
>
> On Tue, Oct 31, 2023 at 11:05 PM Steve Sakoman <steve@sakoman.com<mailto:steve@sakoman.com>> wrote:
>>
>> From: Soumya Sambu <soumya.sambu@windriver.com<mailto:soumya.sambu@windriver.com>>
>>
>> Heap buffer overflow in WebP in Google Chrome prior to
>> 116.0.5845.187 allowed a remote attacker to perform an
>> out of bounds memory write via a crafted HTML page.
>>
>> References:
>> https://nvd.nist.gov/vuln/detail/CVE-2023-4863<https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2023-4863__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESN3Jhg9I$>
>> https://security-tracker.debian.org/tracker/CVE-2023-4863<https://urldefense.com/v3/__https://security-tracker.debian.org/tracker/CVE-2023-4863__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESjF4z9k0$>
>> https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12<https://urldefense.com/v3/__https://bugzilla.redhat.com/show_bug.cgi?id=2238431*c12__;Iw!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZES05Tfi6Y$>
>>
>> Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com<mailto:soumya.sambu@windriver.com>>
>> Signed-off-by: Steve Sakoman <steve@sakoman.com<mailto:steve@sakoman.com>>
>> ---
>>  .../webp/files/CVE-2023-4863.patch            | 53 +++++++++++++++++++
>>  meta/recipes-multimedia/webp/libwebp_1.2.4.bb<https://urldefense.com/v3/__http://libwebp_1.2.4.bb__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESIBRfcng$> |  1 +
>>  2 files changed, 54 insertions(+)
>>  create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
>>
>> diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
>> new file mode 100644
>> index 0000000000..2b1817822c
>> --- /dev/null
>> +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863.patch
>> @@ -0,0 +1,53 @@
>> +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
>> +From: Vincent Rabaud <vrabaud@google.com<mailto:vrabaud@google.com>>
>> +Date: Mon, 11 Sep 2023 16:06:08 +0200
>> +Subject: [PATCH] Fix invalid incremental decoding check.
>> +
>> +The first condition is only necessary if we have not read enough
>> +(enough being defined by src_last, not src_end which is the end
>> +of the image).
>> +The second condition now fits the comment below: "if not
>> +incremental, and we are past the end of buffer".
>> +
>> +BUG=oss-fuzz:62136
>> +
>> +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
>> +
>> +CVE: CVE-2023-4863
>> +
>> +Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520<https://urldefense.com/v3/__https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESSSDnB1o$>]
>> +
>> +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com<mailto:soumya.sambu@windriver.com>>
>> +---
>> + src/dec/vp8l_dec.c | 15 +++++++++++++--
>> + 1 file changed, 13 insertions(+), 2 deletions(-)
>> +
>> +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
>> +index 186b0b2..59a9e64 100644
>> +--- a/src/dec/vp8l_dec.c
>> ++++ b/src/dec/vp8l_dec.c
>> +@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
>> +   }
>> +
>> +   br->eos_ = VP8LIsEndOfStream(br);
>> +-  if (dec->incremental_ && br->eos_ && src < src_end) {
>> ++  // In incremental decoding:
>> ++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
>> ++  // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
>> ++  // be reset until there is more data.
>> ++  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
>> ++  // fully read, either enough has been read to reach 'src_last'.
>> ++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
>> ++  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
>> ++  // The buffer might have been enough or there is some left. 'br->eos_' does
>> ++  // not matter.
>> ++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
>> ++  if (dec->incremental_ && br->eos_ && src < src_last) {
>> +     RestoreState(dec);
>> +-  } else if (!br->eos_) {
>> ++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
>> +     // Process the remaining rows corresponding to last row-block.
>> +     if (process_func != NULL) {
>> +       process_func(dec, row > last_row ? last_row : row);
>> +--
>> +2.40.0
>> diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb<https://urldefense.com/v3/__http://libwebp_1.2.4.bb__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESIBRfcng$> b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb<https://urldefense.com/v3/__http://libwebp_1.2.4.bb__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESIBRfcng$>
>> index 4defdd5e42..0728ca60f5 100644
>> --- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb<https://urldefense.com/v3/__http://libwebp_1.2.4.bb__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESIBRfcng$>
>> +++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb<https://urldefense.com/v3/__http://libwebp_1.2.4.bb__;!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESIBRfcng$>
>> @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
>>  SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz<https://urldefense.com/v3/__http://downloads.webmproject.org/releases/webp/$*7BBP*7D.tar.gz__;JSU!!AjveYdw8EvQ!dCWYSGOx1CaWD6bo_z2fXrO_SLJmHSwBqYAiEz6BStoDU8EgzhbTekVavdCW9BQFzdU-qaYmWwDozSkBKZESU0waYcM$> \
>>             file://CVE-2023-1999.patch \
>>             file://CVE-2023-5129.patch \
>> +           file://CVE-2023-4863.patch \
>>             "
>>  SRC_URI[sha256sum] = "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
>>
>> --
>> 2.34.1
>>
>>
>>
>>

[-- Attachment #2: Type: text/html, Size: 15994 bytes --]

[OE-core][kirkstone 0/3] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, February 14

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1003

The following changes since commit bd12abeff6ee14385fba63fa5ba15d9fadec4d0e:

  cmake: apply parallel build settings to ptest tasks (2025-02-11 05:34:41 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Joshua Watt (2):
  lib/packagedata.py: Add API to iterate over rprovides
  classes-global/insane: Look up all runtime providers for file-rdeps

Peter Marko (1):
  openssl: upgrade 3.0.15 -> 3.0.16

 meta/classes/insane.bbclass                   |  30 ++-
 meta/lib/oe/packagedata.py                    |  15 ++
 .../openssl/openssl/CVE-2024-13176.patch      | 125 -----------
 .../openssl/openssl/CVE-2024-9143.patch       | 202 ------------------
 .../{openssl_3.0.15.bb => openssl_3.0.16.bb}  |   4 +-
 5 files changed, 28 insertions(+), 348 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
 delete mode 100755 meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
 rename meta/recipes-connectivity/openssl/{openssl_3.0.15.bb => openssl_3.0.16.bb} (98%)

-- 
2.43.0

[OE-core][kirkstone 0/3] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, September 18

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2381

The following changes since commit 3dd917c52ace30607800f0b70a52a52662dda731:

  wpa-supplicant: fix CVE-2022-37660 (2025-09-09 09:01:30 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Hitendra Prajapati (1):
  go: ignore CVE-2024-24790

Philip Lorenz (1):
  insane: Ensure that `src-uri-bad` fails correctly

Richard Purdie (1):
  insane: Improve patch warning/error handling

 meta/classes/insane.bbclass             | 24 ++++++++++++++++--------
 meta/recipes-devtools/go/go-1.17.13.inc |  3 ++-
 2 files changed, 18 insertions(+), 9 deletions(-)

-- 
2.43.0