[kirkstone,06/27] libwebp: Fix CVE-2023-1999

Message ID	a5d0f8734ca643c25f0952387b38edf8ffd70525.1689689618.git.steve@sakoman.com
State	Accepted, archived
Commit	a5d0f8734ca643c25f0952387b38edf8ffd70525
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.171, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 06/27] libwebp: Fix CVE-2023-1999 Date: Tue, 18 Jul 2023 04:25:40 -1000 Message-Id: <a5d0f8734ca643c25f0952387b38edf8ffd70525.1689689618.git.steve@sakoman.com> In-Reply-To: <cover.1689689618.git.steve@sakoman.com> References: <cover.1689689618.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/27] perl: Fix CVE-2023-31486 \| expand [kirkstone,01/27] perl: Fix CVE-2023-31486 [kirkstone,02/27] sqlite3: CVE-2023-36191 CLI fault on missing -nonce [kirkstone,03/27] bind : fix CVE-2023-2828 & CVE-2023-2911 [kirkstone,04/27] libx11: Fix CVE-2023-3138 for kirkstone branch [kirkstone,05/27] curl: Added CVE-2023-28320 Follow-up patch [kirkstone,06/27] libwebp: Fix CVE-2023-1999 [kirkstone,07/27] tzdata: upgrade to 2023c [kirkstone,08/27] serf: upgrade 1.3.9 -> 1.3.10 [kirkstone,09/27] wget: upgrade 1.21.3 -> 1.21.4 [kirkstone,10/27] linux-firmware: upgrade 20230404 -> 20230515 [kirkstone,11/27] wireless-regdb: upgrade 2023.02.13 -> 2023.05.03 [kirkstone,12/27] vim: upgrade 9.0.1527 -> 9.0.1592 [kirkstone,13/27] selftest reproducible.py: support different build targets [kirkstone,14/27] selftest/reproducible: Allow chose the package manager [kirkstone,15/27] libpng: Add ptest for libpng [kirkstone,16/27] logrotate: Do not create logrotate.status file [kirkstone,17/27] pybootchartgui: show elapsed time for each task [kirkstone,18/27] systemd: Backport nspawn: make sure host root can write to the uidmapped mounts w… [kirkstone,19/27] rust-llvm: backport a fix for build with gcc-13 [kirkstone,20/27] bitbake.conf: add unzstd in HOSTTOOLS [kirkstone,21/27] sdk.py: error out when moving file fails [kirkstone,22/27] sdk.py: fix moving dnf contents [kirkstone,23/27] zip: fix configure check by using _Static_assert [kirkstone,24/27] unzip: fix configure check for cross compilation [kirkstone,25/27] sysfsutils: fetch a supported fork from github [kirkstone,26/27] wic: Add dependencies for erofs-utils [kirkstone,27/27] cmake: Fix CMAKE_SYSTEM_PROCESSOR setting for SDK

Message ID

a5d0f8734ca643c25f0952387b38edf8ffd70525.1689689618.git.steve@sakoman.com

State

Accepted, archived

Commit

a5d0f8734ca643c25f0952387b38edf8ffd70525

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 06/27] libwebp: Fix CVE-2023-1999
Date: Tue, 18 Jul 2023 04:25:40 -1000
Message-Id: 
 <a5d0f8734ca643c25f0952387b38edf8ffd70525.1689689618.git.steve@sakoman.com>
In-Reply-To: <cover.1689689618.git.steve@sakoman.com>
References: <cover.1689689618.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/27] perl: Fix CVE-2023-31486 | expand

Commit Message

Steve Sakoman July 18, 2023, 2:25 p.m. UTC

From: Soumya <soumya.sambu@windriver.com>

There exists a use after free/double free in libwebp. An attacker can
use the ApplyFiltersAndEncode() function and loop through to free
best.bw and assign best = trial pointer. The second loop will then
return 0 because of an Out of memory error in VP8 encoder, the pointer
is still assigned to trial and the AddressSanitizer will attempt a double free.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-1999

Upstream patch:
https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129

Signed-off-by: Soumya <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../webp/files/CVE-2023-1999.patch            | 60 +++++++++++++++++++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  4 +-
 2 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-1999.patch

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch b/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch
new file mode 100644
index 0000000000..895d01ea7d
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch
@@ -0,0 +1,60 @@ 
+From a486d800b60d0af4cc0836bf7ed8f21e12974129 Mon Sep 17 00:00:00 2001
+From: James Zern <jzern@google.com>
+Date: Wed, 22 Feb 2023 22:15:47 -0800
+Subject: [PATCH] EncodeAlphaInternal: clear result->bw on error
+
+This avoids a double free should the function fail prior to
+VP8BitWriterInit() and a previous trial result's buffer carried over.
+Previously in ApplyFiltersAndEncode() trial.bw (with a previous
+iteration's buffer) would be freed, followed by best.bw pointing to the
+same buffer.
+
+Since:
+187d379d add a fallback to ALPHA_NO_COMPRESSION
+
+In addition, check the return value of VP8BitWriterInit() in this
+function.
+
+Bug: webp:603
+Change-Id: Ic258381ee26c8c16bc211d157c8153831c8c6910
+
+CVE: CVE-2023-1999
+
+Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129]
+
+Signed-off-by: Soumya <soumya.sambu@windriver.com>
+---
+ src/enc/alpha_enc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/enc/alpha_enc.c b/src/enc/alpha_enc.c
+index f7c0269..7d20558 100644
+--- a/src/enc/alpha_enc.c
++++ b/src/enc/alpha_enc.c
+@@ -13,6 +13,7 @@
+
+ #include <assert.h>
+ #include <stdlib.h>
++#include <string.h>
+
+ #include "src/enc/vp8i_enc.h"
+ #include "src/dsp/dsp.h"
+@@ -148,6 +149,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height,
+       }
+     } else {
+       VP8LBitWriterWipeOut(&tmp_bw);
++      memset(&result->bw, 0, sizeof(result->bw));
+       return 0;
+     }
+   }
+@@ -162,7 +164,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height,
+   header = method | (filter << 2);
+   if (reduce_levels) header |= ALPHA_PREPROCESSED_LEVELS << 4;
+
+-  VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size);
++  if (!VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size)) ok = 0;
+   ok = ok && VP8BitWriterAppend(&result->bw, &header, ALPHA_HEADER_LEN);
+   ok = ok && VP8BitWriterAppend(&result->bw, output, output_size);
+
+--
+2.40.0
diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
index 263589846a..5d868b3b96 100644
--- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
+++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
@@ -13,7 +13,9 @@  LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
                     file://PATENTS;md5=c6926d0cb07d296f886ab6e0cc5a85b7"
 
-SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz"
+SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
+           file://CVE-2023-1999.patch \
+           "
 SRC_URI[sha256sum] = "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
 
 UPSTREAM_CHECK_URI = "http://downloads.webmproject.org/releases/webp/index.html"

[kirkstone,06/27] libwebp: Fix CVE-2023-1999

Commit Message

Patch