Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 2238543

Summary: CVE-2023-4863: Heap buffer overflow in WebP
Product: [Fedora] Fedora Reporter: barsnick
Component: libwebpAssignee: Sandro Mani <manisandro>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: rawhideCC: awilliam, bdm, manisandro, mcatanza, pdwyer, saroy
Target Milestone: ---Keywords: Reopened, Security, VerifiedUpstream
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
Whiteboard:
Fixed In Version: libwebp-1.3.1-3.fc40 libwebp-1.3.1-3.fc38 libwebp-1.3.1-3.fc39 libwebp-1.3.1-3.fc37 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-15 19:54:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2238431, 2143445    

Description barsnick 2023-09-12 12:02:23 UTC
This seems to be a critical bug in libwebp.

The Chrome release notes, as linked above, say:

> Google is aware that an exploit for CVE-2023-4863 exists in the wild.

(This exploit may only be valid for Chrome/Chromium, nut nevertheless, this is the component in question.)

According to
https://chromium.googlesource.com/chromium/src/+log/116.0.5845.179..116.0.5845.188?pretty=fuller&n=10000

the fix is in 6a319d4da..4619a48fc of libwebp, which means this commit is supposed to fix the issue:
https://github.com/webmproject/libwebp/commit/4619a48fc

This should be applied as a patch on top of 1.3.1, until a new release is available.

Reproducible: Always




Registered in Bugzilla as Chromium bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2238431

Comment 1 Fedora Update System 2023-09-13 08:34:26 UTC
FEDORA-2023-d5faede1d6 has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2023-d5faede1d6

Comment 2 Fedora Update System 2023-09-13 09:55:17 UTC
FEDORA-2023-f8319bd876 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f8319bd876

Comment 3 Fedora Update System 2023-09-13 09:55:18 UTC
FEDORA-2023-c4fa8a204d has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-c4fa8a204d

Comment 4 Fedora Update System 2023-09-13 09:55:18 UTC
FEDORA-2023-3388038193 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-3388038193

Comment 5 Fedora Update System 2023-09-13 10:16:37 UTC
FEDORA-2023-d5faede1d6 has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 6 Michael Catanzaro 2023-09-13 22:29:03 UTC
Reopening to request freeze exception

Comment 7 Fedora Blocker Bugs Application 2023-09-13 22:29:13 UTC
Proposed as a Freeze Exception for 39-beta by Fedora user catanzaro using the blocker tracking app because:

 This webp security update is important and should not be blocked until beta freeze has ended.

Comment 8 Fedora Update System 2023-09-14 01:46:45 UTC
FEDORA-2023-f8319bd876 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-f8319bd876`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-f8319bd876

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2023-09-14 01:55:10 UTC
FEDORA-2023-c4fa8a204d has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-c4fa8a204d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-c4fa8a204d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2023-09-14 02:34:23 UTC
FEDORA-2023-3388038193 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-3388038193`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-3388038193

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Michael Catanzaro 2023-09-14 14:40:28 UTC
*** Bug 2238951 has been marked as a duplicate of this bug. ***

Comment 12 Fedora Update System 2023-09-15 01:42:27 UTC
FEDORA-2023-c4fa8a204d has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 13 Michael Catanzaro 2023-09-15 11:27:38 UTC
Reopening again for freeze exception

Comment 14 Adam Williamson 2023-09-15 17:23:49 UTC
The FE process is not in play any more since Beta is signed off. This will just go whenever the freeze is lifted.

Comment 15 Michael Catanzaro 2023-09-15 19:02:24 UTC
Sigh...

Comment 16 Adam Williamson 2023-09-15 19:15:26 UTC
It can still be ON_QA, I was just explaining that the FE process isn't involved any more :D

Comment 17 Fedora Update System 2023-09-15 19:54:20 UTC
FEDORA-2023-f8319bd876 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 18 Fedora Update System 2023-09-16 01:40:55 UTC
FEDORA-2023-3388038193 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.