Vulnerability CVE-2023-4863 of Google's Libwebp - CAVE! - affecting main browsers and known programs

Post#1 by **Rava** » 21 Sep 2023, 12:38

Vulnerability CVE-2023-4863 - Does Porteus system use Google's Libwebp for webp support aside from some browsers and programs that are affected:

https://www.tarlogic.com/blog/cve-2023-4863/

This vulnerability not only affects the Mozilla Firefox browser or others based on Chromium (Google Chrome, Microsoft Edge, Opera, Vivaldi, Brave, …) but also affects applications such as Thunderbird, Honeyview, Signal Electron, Affinity, Gimp, Inkscape, LibreOffice, Telegram, ffmpeg or 1Password, among others.

(highlighting by me)

About Palemoon I have this info:
https://forum.palemoon.org/viewtopic.ph ... 01#p243601

Moonchild wrote: It doesn't seem to be directly exploitable in our platform code, by the way, so mostly a defense-in-depth fix.

Read more in depth details here
https://www.tarlogic.com/blog/cve-2023-4863/

I just quote some small parts.

CVE-2023-4863: Heap buffer overflow in Google libwebp (WebP)
19 - Sep - 2023 - S.T.A².R.S Team
[…]
The Chromium team has already reported the exploitation of this zero-day in the wild, so it is recommended to update affected products as soon as possible.

Key features of CVE-2023-4863

The main characteristics of this vulnerability are detailed below:

CVE Identifier: CVE-2023-4863
Publishing date: 12/09/2023
Affected Software: Browsers such as Mozilla Firefox or Chromium based (Google Chrome, Microsoft Edge, Opera, Vivaldi, Brave); and applications such as Thunderbird, Honeyview, Signal Electron, Affinity, Gimp, Inkscape, LibreOffice, Telegram, ffmpeg or 1Password, among others.
CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Affected versions
Multiple products are affected. The affected versions the lower versions than the listed in the Mitigation table.

CVE-2023-4863 affects major web browsers

(highlighting by me)

Added in 11 hours 29 minutes 42 seconds:
ncmprhnsbl told me via PM that the updated newest version of libwebp will be included in the next upcoming update.
If you want a quicker fix you can do it yourself.
I only found libwebp in 002-xorg.xzm but at the time of my find and grep test I had none of the known affected programs activated as modules (no GIMP, no chrom[ei]*, no firefox, none of the other known vulnerable programs) so you have to test all possible affected modules manually yourself)

Code: Select all

guest@rava:/mnt/live/memory/images$ find . 2>/dev/null |grep libwebp
./002-xorg.xzm/usr/lib64/libwebp.so
./002-xorg.xzm/usr/lib64/libwebp.so.7
./002-xorg.xzm/usr/lib64/libwebp.so.7.1.3
./002-xorg.xzm/usr/lib64/libwebpdecoder.so
./002-xorg.xzm/usr/lib64/libwebpdecoder.so.3
./002-xorg.xzm/usr/lib64/libwebpdecoder.so.3.1.3
./002-xorg.xzm/usr/lib64/libwebpdemux.so
./002-xorg.xzm/usr/lib64/libwebpdemux.so.2
./002-xorg.xzm/usr/lib64/libwebpdemux.so.2.0.9
./002-xorg.xzm/usr/lib64/libwebpmux.so
./002-xorg.xzm/usr/lib64/libwebpmux.so.3
./002-xorg.xzm/usr/lib64/libwebpmux.so.3.0.8
./002-xorg.xzm/usr/lib64/python3.9/site-packages/com/google/webp/__pycache__/libwebp.cpython-39.pyc
./002-xorg.xzm/usr/lib64/python3.9/site-packages/com/google/webp/_libwebp.cpython-39-x86_64-linux-gnu.so
./002-xorg.xzm/usr/lib64/python3.9/site-packages/com/google/webp/libwebp.py
./002-xorg.xzm/usr/lib64/python3.9/site-packages/libwebp-0.0-py3.9.egg-info
./002-xorg.xzm/var/lib/pkgtools/packages/libwebp-1.2.2-x86_64-1

You have to extract the module
You have to run the appropriate removepkg command to uninstall libwebp - not from your system but from your extracted module
You have to run the appropriate installpkg command to install the most recent libwebp - not into your system but into your extracted module folder
create a new updated 002-xorg.xzm module, name it e.g. 002-xorg_libwebp-fix.xzm

Which of the listed libwebp* needs to be updated I do not know.

Added in 43 seconds:
Cave! If you do not know how to update a base module and/or do not know which libwebp* need to be updated wait till ncmprhnsbl releases the official update.

Since Chromium encountered a exploit in the wild using this vulnerability already (see the quote above) best refrain using any Chromium module until you get a fixed version.
Then mark your older Chromium modules as vulnerable when there are reasons to keep older versions like renaming these:

e.g.

mv 005-chromium-ungoogled-105.0.5195.125-x86_64-en-GB-1alien-NO-browser.desktop.xzm 005-chromium-ungoogled-LIBWEBP-VULNERABILITY-105.0.5195.125-x86_64-en-GB-1alien-NO-browser.desktop.xzm

Chances are very high that exploits of other known browsers and well known and used programs will appear in the wild as well, e.g. against Firefox, against GIMP etcetera.

Do not put any known vulnerable module of any of the affected programs into your base/ or optional/ folder or they would be activated by next boot by default when in base/ (or via kernel APPEND cheat code when in optional/ ) and the renaming that was meant as a warning and reminder for you would be of no consequence.

On the 2nd page of this thread gomway shared some neat informative links and I put these here as well since I deem them essential enough:

gomway wrote: ↑
29 Sep 2023, 12:11
The WebP 0day: https://blog.isosceles.com/the-webp-0day/
Project Zero: https://googleprojectzero.blogspot.com/

How to identify the threat (with big list of affected and patched apps): https://www.ninjaone.com/blog/webp-0-da ... 2023-5129/

Electron-based vulnerable apps: https://gist.github.com/mttaggart/02ed5 ... 032dd2e7ec

Thanks gomway!

Post#2 by **Rapha_** » 23 Sep 2023, 22:04

Thanks Rava a lot for the informations!

As there is a more recent "Official" version of libwebp (libwebp-1.3.2-x86_64-1.txz, 2023-09-14), can I place this new module (libwebp-1.3.2-x86_64-1.xzm) in the "module" folder to replace the older version ?

Post#3 by **Rava** » 23 Sep 2023, 23:18

Yes. But also no, read to the very end of this post to be on the safe side. I marked parts of this post in bold and in red for good reasons.

● make sure it is loaded after the affected module. When you have numbered all your modules in base/ then a non-numbered one will be loaded last.
● Cave! when you use a not affected program as default (e.g. Palemoon as your web browser) but you need on rare occasion a different browser for a task PM cannot handle (e.g. video telephony, video conferencing) and you load your chrom[ei]* or firefox manually, then this module would be the last activated, so make sure to test afterwards which libwebp is in your system. Programs usually use the more generic symlink that points to the real version. In my case:

Code: Select all

guest@rava:/mnt/live/memory/images$ ls -o /usr/lib64/libwebp.so
lrwxrwxrwx 1 root 16 2022-12-11 09:49 /usr/lib64/libwebp.so -> libwebp.so.7.1.3
guest@rava:/mnt/live/memory/images$ ls -o /usr/lib64/libwebp.so.7.1.3 
-rwxr-xr-x 1 root 436728 2022-12-11 09:50 /usr/lib64/libwebp.so.7.1.3

my system uses libwebp.so.7.1.3 from 2022-12-11

● But there are other libwebp* libraries. Are these affected as well? Are these part of libwebp-1.3.2-x86_64-1.txz ?

Here is what my system shows looking for all things libwebp:

Code: Select all

guest@rava:/mnt/live/memory/images$ find . -name "*libwebp*" 2>/dev/null
./002-xorg.xzm/usr/lib64/libwebp.so
./002-xorg.xzm/usr/lib64/libwebp.so.7
./002-xorg.xzm/usr/lib64/libwebp.so.7.1.3
./002-xorg.xzm/usr/lib64/libwebpdecoder.so
./002-xorg.xzm/usr/lib64/libwebpdecoder.so.3
./002-xorg.xzm/usr/lib64/libwebpdecoder.so.3.1.3
./002-xorg.xzm/usr/lib64/libwebpdemux.so
./002-xorg.xzm/usr/lib64/libwebpdemux.so.2
./002-xorg.xzm/usr/lib64/libwebpdemux.so.2.0.9
./002-xorg.xzm/usr/lib64/libwebpmux.so
./002-xorg.xzm/usr/lib64/libwebpmux.so.3
./002-xorg.xzm/usr/lib64/libwebpmux.so.3.0.8
./002-xorg.xzm/usr/lib64/python3.9/site-packages/com/google/webp/__pycache__/libwebp.cpython-39.pyc
./002-xorg.xzm/usr/lib64/python3.9/site-packages/com/google/webp/_libwebp.cpython-39-x86_64-linux-gnu.so
./002-xorg.xzm/usr/lib64/python3.9/site-packages/com/google/webp/libwebp.py
./002-xorg.xzm/usr/lib64/python3.9/site-packages/libwebp-0.0-py3.9.egg-info
./002-xorg.xzm/var/lib/pkgtools/packages/libwebp-1.2.2-x86_64-1

The 2>/dev/null is needed or else the "find ." would print all kinds of error messages about folders it could not access, e.g. all /root/ ones and some others.

● Is libwebp-1.3.2-x86_64-1.txz already a fixed version against vulnerability CVE-2023-4863 ? You have to read the changelog to see if the vulnerability is mentioned, if it is mentioned then the version will fix that vulnerability. (Unless the mentioning states that this version not yet fixed that vulnerability)

● My system uses libwebp-1.2.2-x86_64-1 - but the python ones might come from somewhere else. Are they affected as well? The article linked above doesn't mention python, but it mentions other programs than the ones listed being affected.

Back to the above: when you loaded a different module after boot make sure which libwebp module is used in your system.
● When a later loaded module overwrites your symlink pointing to your never version, creating a symlink that points to its own version that is part of that module, making your system vulnerable again.
Therefore I mentioned renaming known affected programs and better refrain from using these until there is a fixed version addressing the issue.

You can always use

Code: Select all

lsxzm module-name.xzm |grep libwebp

to look if a certain module contains libwebp or not.

Code: Select all

root@rava:/Porteus_modules# lsxzm 005-chromium-ungoogled-105.0.5195.125-x86_64-en-GB-1alien-NO-browser.desktop.xzm |grep libwebp
root@rava:/Porteus_modules#

● Cave! As you can see, chromium-ungoogled-105.0.5195.125 doesn't contain libwebp per see, but as of the writing of the above linked article chromium was the only known program to be exploited in the wild because of the vulnerability CVE-2023-4863 - so in that case could be the vulnerability of chromium is deeper inside its code and only ditching all affected programs and only using updated ones that fix the vulnerability CVE-2023-4863 will put you on the safe side of things.

Post#4 by **Rapha_** » 24 Sep 2023, 00:36

libwebp-1.3.2 - NEW :

- 9/13/2023: version 1.3.2
This is a binary compatible release.
* security fix for lossless decoder (chromium: #1479274, CVE-2023-4863)

Files versions inside :

Code: Select all

lsxzm libwebp-1.3.2-x86_64-1.xzm |grep libwebp
/usr/doc/libwebp-1.3.2
/usr/doc/libwebp-1.3.2/AUTHORS
/usr/doc/libwebp-1.3.2/COPYING
/usr/doc/libwebp-1.3.2/ChangeLog
/usr/doc/libwebp-1.3.2/NEWS
/usr/doc/libwebp-1.3.2/PATENTS
/usr/doc/libwebp-1.3.2/README.md
/usr/lib64/libwebp.so
/usr/lib64/libwebp.so.7
/usr/lib64/libwebp.so.7.1.8
/usr/lib64/libwebpdecoder.so
/usr/lib64/libwebpdecoder.so.3
/usr/lib64/libwebpdecoder.so.3.1.8
/usr/lib64/libwebpdemux.so
/usr/lib64/libwebpdemux.so.2
/usr/lib64/libwebpdemux.so.2.0.14
/usr/lib64/libwebpmux.so
/usr/lib64/libwebpmux.so.3
/usr/lib64/libwebpmux.so.3.0.13
/usr/lib64/pkgconfig/libwebp.pc
/usr/lib64/pkgconfig/libwebpdecoder.pc
/usr/lib64/pkgconfig/libwebpdemux.pc
/usr/lib64/pkgconfig/libwebpmux.pc
/usr/lib64/python3.9/site-packages/com/google/webp/__pycache__/libwebp.cpython-39.pyc
/usr/lib64/python3.9/site-packages/com/google/webp/_libwebp.cpython-39-x86_64-linux-gnu.so
/usr/lib64/python3.9/site-packages/com/google/webp/libwebp.py
/usr/lib64/python3.9/site-packages/libwebp-0.0-py3.9.egg-info
/usr/lib64/python3.9/site-packages/libwebp-0.0-py3.9.egg-info/PKG-INFO
/usr/lib64/python3.9/site-packages/libwebp-0.0-py3.9.egg-info/SOURCES.txt
/usr/lib64/python3.9/site-packages/libwebp-0.0-py3.9.egg-info/dependency_links.txt
/usr/lib64/python3.9/site-packages/libwebp-0.0-py3.9.egg-info/top_level.txt
/var/lib/pkgtools/packages/libwebp-1.3.2-x86_64-1
/var/lib/pkgtools/scripts/libwebp-1.3.2-x86_64-1

Not tested yet as a module...

Desactivated webp in Firefox ( with about:config )

Post#5 by **Rava** » 24 Sep 2023, 01:04

Rapha_ wrote: ↑
24 Sep 2023, 00:36
Desactivated webp in Firefox ( with about:config )

How did you deactivate it?

And how does one deactivate webp in Chrom[ei]* ?

Post#6 by **Rapha_** » 24 Sep 2023, 02:09

How did you deactivate it?

For Firefox, in the address bar, type :

Code: Select all

about:config

Enter

Then....Accept the risk and continue

Search : webp

image.webp.enabled True ---> False

Compare with this page :
https://developers.google.com/speed/webp/gallery1

But I don't know for Chromium ...

Post#7 by **Rava** » 24 Sep 2023, 05:10

Rapha_ wrote: ↑
24 Sep 2023, 02:09
image.webp.enabled True ---> False

Good thinking. Hopefully that keeps you safe, but I am not sure if a code vulnerability works that way, could be you are still vulnerable. But I am no expert on all that.

Anyway we can be sure that all affected maintainers will create updated programs, and usually programs which go online are the most vulnerable (browser, email reader, bittorrent client, chat client…) and others less so (GIMP)

Post#8 by **Rapha_** » 24 Sep 2023, 11:11

With the module libwebp-1.3.2-x86_64-1.xzm activated , it seem now to be patched :

Code: Select all

guest@porteus:/usr/lib64$ ls -lR . |grep webp
lrwxrwxrwx  1 root  root        16 sept. 23 23:39 libwebp.so -> libwebp.so.7.1.8*
lrwxrwxrwx  1 root  root        16 sept. 23 23:39 libwebp.so.7 -> libwebp.so.7.1.8*
-rwxr-xr-x  1 root  root    436800 févr. 13  2021 libwebp.so.7.1.1*
-rwxr-xr-x  1 root  root    440976 sept. 14 19:21 libwebp.so.7.1.8*
lrwxrwxrwx  1 root  root        23 sept. 23 23:39 libwebpdecoder.so -> libwebpdecoder.so.3.1.8*
lrwxrwxrwx  1 root  root        23 sept. 23 23:39 libwebpdecoder.so.3 -> libwebpdecoder.so.3.1.8*
-rwxr-xr-x  1 root  root    223584 févr. 13  2021 libwebpdecoder.so.3.1.1*
-rwxr-xr-x  1 root  root    223632 sept. 14 19:21 libwebpdecoder.so.3.1.8*
lrwxrwxrwx  1 root  root        22 sept. 23 23:39 libwebpdemux.so -> libwebpdemux.so.2.0.14*
lrwxrwxrwx  1 root  root        22 sept. 23 23:39 libwebpdemux.so.2 -> libwebpdemux.so.2.0.14*
-rwxr-xr-x  1 root  root     18560 sept. 14 19:21 libwebpdemux.so.2.0.14*
-rwxr-xr-x  1 root  root     18504 févr. 13  2021 libwebpdemux.so.2.0.7*
lrwxrwxrwx  1 root  root        20 sept. 23 23:39 libwebpmux.so -> libwebpmux.so.3.0.13*
lrwxrwxrwx  1 root  root        20 sept. 23 23:39 libwebpmux.so.3 -> libwebpmux.so.3.0.13*
-rwxr-xr-x  1 root  root     43288 sept. 14 19:21 libwebpmux.so.3.0.13*
-rwxr-xr-x  1 root  root     43224 févr. 13  2021 libwebpmux.so.3.0.6*
-rwxr-xr-x 1 root root 18824 févr. 17  2021 libpixbufloader-webp.so*
-rwxr-xr-x 1 root root 14520 févr. 17  2021 webp.so*
-rw-r--r-- 1 root root 260 sept. 14 19:21 libwebp.pc
-rw-r--r-- 1 root root 258 sept. 14 19:21 libwebpdecoder.pc
-rw-r--r-- 1 root root 273 sept. 14 19:21 libwebpdemux.pc
-rw-r--r-- 1 root root 292 sept. 14 19:21 libwebpmux.pc
drwxr-xr-x  2 root  root      99 sept. 14 19:21 libwebp-0.0-py3.9.egg-info/
drwxr-xr-x 4 root root 118 sept. 14 19:21 webp/
./python3.9/site-packages/com/google/webp:
-rwxr-xr-x 1 root root 49568 sept. 14 19:21 _libwebp.cpython-39-x86_64-linux-gnu.so*
-rw-r--r-- 1 root root  8209 sept. 14 00:11 libwebp.py
./python3.9/site-packages/com/google/webp/__pycache__:
-rw-r--r-- 1 root root 7448 sept. 14 19:21 libwebp.cpython-39.pyc
./python3.9/site-packages/libwebp-0.0-py3.9.egg-info:

Post#9 by **Rapha_** » 24 Sep 2023, 13:41

I discovered by accident* that the Firefox browser doesn't need the Porteus libraries (002-xorg.xzm) to view images in Webp format (it's viewable Internally).

* With the libwebp-1.3.2-x86_64-1.xzm module loaded at startup on Porteus v5.0rc3, the libwebp libraries were not installed in the system (and even all libwebp libraries were disabled!).

But with Porteus v5.0 , the libwebp libraries are loaded and updated correctly

Post#10 by **Rava** » 25 Sep 2023, 03:36

Rapha_ wrote: ↑
24 Sep 2023, 13:41
I discovered by accident* that the Firefox browser doesn't need the Porteus libraries (002-xorg.xzm) to view images in Webp format (it's viewable Internally).

Chances are high FFx uses Google's Libwebp - just internally, and is vulnerable to CVE-2023-4863.

Would you code a access library all by yourself when a free to use version exists by the ones who bought the rights by the developers and put it under a free ad open licence?

Thanks for the heads up on Porteus v5.0rc3 and Porteus v5.0. What reasons could someone have to still use a RC version when the finale one came out ages ago?

Post#11 by **Rapha_** » 26 Sep 2023, 10:52

Porteus v5.0rc3 works fine for me ...but I know I need to upgrade to v 5.0 for greater compatibility.

Well, I was using libwebp-1.3.2 for Slackware Current ...And actually it works fine for me with libwebp-1.3.2 for Slackware 15.0

Post#12 by **Rava** » 27 Sep 2023, 03:58

You can use virusscan.jotti.org to upload suspected malware code; I use it rarely but still use it over the years again and again. Best online scanner with the most supported scan engines out here.

Post#13 by **francois** » 27 Sep 2023, 12:18

Hummmmm!

What about a simple and direct howto for libwebp?

Post#14 by **Rava** » 27 Sep 2023, 19:35

francois wrote: ↑
27 Sep 2023, 12:18
What about a simple and direct howto for libwebp?

If I had one that would fix all issues I would post it.
When you have one, please provide.

Post#15 by **Rava** » 28 Sep 2023, 04:31

About Port 5.0.1 update:

Code: Select all

chromium-ungoogled-117.0.5938.62-x86_64-en-US-1alien.xzm 2023-09-26 14:08  104M  
firefox-118.0-x86_64-en-US.xzm                           2023-09-26 14:09   69M  
google-chrome-117.0.5938.92-x86_64-en-US-1.xzm           2023-09-25 13:29  109M

Are these versions immune against CVE-2023-4863 ?

The sha256 checksums according to the server:

f9d0262b528a9ee45263922e6040e030eee1862f2a3de326916384e22f04ec36 chromium-ungoogled-117.0.5938.62-x86_64-en-US-1alien.xzm
65730dfc17f6cf2dd0e0930ef9e356e6166492b51dade03427e8d223c24aadae firefox-118.0-x86_64-en-US.xzm
f4118e7eb8987390d6f6f88309abb2263761427912a15ad98a54bc4a3fecfbe0 google-chrome-117.0.5938.92-x86_64-en-US-1.xzm