Vulnerability CVE-2023-4863 of Google's Libwebp - CAVE! - affecting main browsers and known programs

Post#16 by **ncmprhnsbl** » 28 Sep 2023, 05:38

Rava wrote: ↑
28 Sep 2023, 04:31
Are these versions immune against CVE-2023-4863 ?

short answer: yes
slightly longer answer:
i'll refer you back to your original link https://www.tarlogic.com/blog/cve-2023-4863/

scroll down to the table that show fixed versions.

Post#17 by **Rava** » 28 Sep 2023, 17:53

ncmprhnsbl wrote: ↑
28 Sep 2023, 05:38
i'll refer you back to your original link https://www.tarlogic.com/blog/cve-2023-4863/
scroll down to the table that show fixed versions.

That's a good info for everyone interested which version has a fix (and of course any newer versions than the one listed has the fix as well)

So folks, just check the link out for yourself and switch your browser with a version that has the fix.
Because copying the table and add [ code ] for formatting makes it look ugly:

Code: Select all

Affected Version 	Fixed Version 	Documentation
Google Chrome 	Ver. 116.0.5845.187 (Mac and Linux)
Ver. 116.0.5845.187/.188 (Windows) 	https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
Mozilla Firefox 	Ver. 117.0.1
Ver. ESR 102.15.1
Ver. ESR 115.2.1 	https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
Thunderbird 	Ver. 102.15.1
Ver. 115.2.2 	 
Microsoft Edge 	Ver. 116.0.1938.81 	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863
Brave 	Ver. 1.58.124 	https://github.com/brave/brave-browser/issues/33032
Opera 	Ver. 102.0.4880.51 	https://blogs.opera.com/desktop/2023/09/opera-102-0-4880-51-stable-update/
Vivaldi 	Ver. 6.2 	https://vivaldi.com/blog/desktop/minor-update-three-6-2/
Honeyview 	Ver. 5.51 	https://en.bandisoft.com/honeyview/history/

Post#18 by **gomway** » 29 Sep 2023, 12:11

Rava wrote: ↑
29 Sep 2023, 11:08
Found nothing on CVE-2023-4863 via https://www.blender.org/download/releases/ (or more specifically https://www.blender.org/download/releases/3-6/ ) nor via https://wiki.blender.org/ nor via https://devtalk.blender.org/

Here I've got something to read:
The WebP 0day: https://blog.isosceles.com/the-webp-0day/
Project Zero: https://googleprojectzero.blogspot.com/

How to identify the threat (with big list of affected and patched apps): https://www.ninjaone.com/blog/webp-0-da ... 2023-5129/

Electron-based vulnerable apps: https://gist.github.com/mttaggart/02ed5 ... 032dd2e7ec

Post#19 by **Rava** » 29 Sep 2023, 12:16

^
Thanks for that.

Added in 14 minutes 35 seconds:

Rapha_ wrote: ↑
24 Sep 2023, 13:41
I discovered by accident* that the Firefox browser doesn't need the Porteus libraries (002-xorg.xzm) to view images in Webp format (it's viewable Internally).

Most browsers use an internal routine for viewing webp internally because historically SM-Witless (or it is called MS-Weirdness?) had no support for webp in its OS environment.

Added in 2 minutes 13 seconds:
And since nowadays webp is the main standard for web based graphics instead of jpeg… all modern browsers support webp even if the OS you are running doesn't support webp, e.g. via SM-Witless own image viewer.

Added in 4 minutes 45 seconds:
Even some Linux DEs have no support for viewing and editing/saving webp - when some programs rely on the support of raster graphics formats for saving files, e.g. I did nothing towards my viewnior module, the support for reading (and saving webp) comes via the support of Porteus itself. And that was added after I asked how I get webp support in viewnior ( viewnior-gtk3-1.7-x86_64-2ncm_sans_locale.xzm ). When I recall correct ncmprhnsbl was the

magician who integrated in into Porteus many many moons ago.

Or to be more precise: I found out that the support has to come via integration of the webp libraries of the Linux OS itself, and from there on asked on here https://forum.porteus.org how that can be accomplished, and the rest is history as the saying goes.

ncmprhnsbl.

Post#20 by **Rapha_** » 30 Sep 2023, 11:52

Rava wrote: ↑
29 Sep 2023, 12:38
And since nowadays webp is the main standard for web based graphics instead of jpeg

Not true !

Which image format is most widely used on the Internet in 2023 ? The answer is PNG, with a usage rate of 82.1%, followed closely by JPEG at 77.9%

WebP --->4 %

( Source : https://scanse.io/blog/usage-statistics ... e-formats/ )

This WebP image format has been exposing billions of users to security vulnerabilities for years !

Libwebp - Security Bug Tracker :

CVE-2023-4863 Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.1 ...
CVE-2023-1999 There exists a use after free/double free in libwebp. An attacker can ...
CVE-2020-36332 A flaw was found in libwebp in versions before 1.0.1. When reading a f ...
CVE-2020-36331 A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds ...
CVE-2020-36330 A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds ...
CVE-2020-36329 A flaw was found in libwebp in versions before 1.0.1. A use-after-free ...
CVE-2020-36328 A flaw was found in libwebp in versions before 1.0.1. A heap-based buf ...
CVE-2018-25014 A use of uninitialized value was found in libwebp in versions before 1 ...
CVE-2018-25013 A heap-based buffer overflow was found in libwebp in versions before 1 ...
CVE-2018-25012 A heap-based buffer overflow was found in libwebp in versions before 1 ...
CVE-2018-25011 A heap-based buffer overflow was found in libwebp in versions before 1 ...
CVE-2018-25010 A heap-based buffer overflow was found in libwebp in versions before 1 ...
CVE-2018-25009 A heap-based buffer overflow was found in libwebp in versions before 1 ...
CVE-2016-9969 In libwebp 0.5.1, there is a double free bug in libwebpmux.
CVE-2016-9085 Multiple integer overflows in libwebp allows attackers to have unspeci ...
CVE-2012-5127 Integer overflow in Google Chrome before 23.0.1271.64 allows remote at .

( Source : https://security-tracker.debian.org/tra ... ge/libwebp )

Post#21 by **Rava** » 30 Sep 2023, 15:48

^
I stand corrected, kudos to you.

I still use it:
File size comparison / sorted smallest file size first:

Code: Select all

$ ls -oSr forum.porteus.org_rem*
-rw-r--r-- 1 guest  25422 2023-09-20 09:20 forum.porteus.org_rem_lossless.webp
-rw-r--r-- 1 guest 123434 2023-09-20 09:20 forum.porteus.org_rem.webp
-rw-r--r-- 1 guest 148685 2023-09-20 09:20 forum.porteus.org_rem.png

All files are the same: 335 x 1528, 8-bit/color RGB, non-interlaced; screenshot similar to an simple drawing

lossless.webp : best / smallest file size
.webp lossy 93% quality : medium file size
.png max compression, lossless : largest file size

Usually the sorting is like so:
.webp lossy 93% quality : best / smallest file size
lossless.webp : medium file size
.png max compression, lossless : largest file size

Seems it is a more modern and efficient file standard, while it has more vulnerabilities than png.
When I recall correct, jpeg had some vulnerabilities years back, but I do not recall png ever having one. But maybe I am wrong on these details as well.