https://www.tarlogic.com/blog/cve-2023-4863/
(highlighting by me)This vulnerability not only affects the Mozilla Firefox browser or others based on Chromium (Google Chrome, Microsoft Edge, Opera, Vivaldi, Brave, …) but also affects applications such as Thunderbird, Honeyview, Signal Electron, Affinity, Gimp, Inkscape, LibreOffice, Telegram, ffmpeg or 1Password, among others.
About Palemoon I have this info:
https://forum.palemoon.org/viewtopic.ph ... 01#p243601
Read more in depth details hereMoonchild wrote: It doesn't seem to be directly exploitable in our platform code, by the way, so mostly a defense-in-depth fix.
https://www.tarlogic.com/blog/cve-2023-4863/
I just quote some small parts.
(highlighting by me)CVE-2023-4863: Heap buffer overflow in Google libwebp (WebP)
19 - Sep - 2023 - S.T.A².R.S Team
[…]
The Chromium team has already reported the exploitation of this zero-day in the wild, so it is recommended to update affected products as soon as possible.
Key features of CVE-2023-4863
The main characteristics of this vulnerability are detailed below:
CVE Identifier: CVE-2023-4863
Publishing date: 12/09/2023
Affected Software: Browsers such as Mozilla Firefox or Chromium based (Google Chrome, Microsoft Edge, Opera, Vivaldi, Brave); and applications such as Thunderbird, Honeyview, Signal Electron, Affinity, Gimp, Inkscape, LibreOffice, Telegram, ffmpeg or 1Password, among others.
CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Affected versions
Multiple products are affected. The affected versions the lower versions than the listed in the Mitigation table.
CVE-2023-4863 affects major web browsers
Added in 11 hours 29 minutes 42 seconds:
ncmprhnsbl told me via PM that the updated newest version of libwebp will be included in the next upcoming update.
If you want a quicker fix you can do it yourself.
I only found libwebp in 002-xorg.xzm but at the time of my find and grep test I had none of the known affected programs activated as modules (no GIMP, no chrom[ei]*, no firefox, none of the other known vulnerable programs) so you have to test all possible affected modules manually yourself)
Code: Select all
guest@rava:/mnt/live/memory/images$ find . 2>/dev/null |grep libwebp
./002-xorg.xzm/usr/lib64/libwebp.so
./002-xorg.xzm/usr/lib64/libwebp.so.7
./002-xorg.xzm/usr/lib64/libwebp.so.7.1.3
./002-xorg.xzm/usr/lib64/libwebpdecoder.so
./002-xorg.xzm/usr/lib64/libwebpdecoder.so.3
./002-xorg.xzm/usr/lib64/libwebpdecoder.so.3.1.3
./002-xorg.xzm/usr/lib64/libwebpdemux.so
./002-xorg.xzm/usr/lib64/libwebpdemux.so.2
./002-xorg.xzm/usr/lib64/libwebpdemux.so.2.0.9
./002-xorg.xzm/usr/lib64/libwebpmux.so
./002-xorg.xzm/usr/lib64/libwebpmux.so.3
./002-xorg.xzm/usr/lib64/libwebpmux.so.3.0.8
./002-xorg.xzm/usr/lib64/python3.9/site-packages/com/google/webp/__pycache__/libwebp.cpython-39.pyc
./002-xorg.xzm/usr/lib64/python3.9/site-packages/com/google/webp/_libwebp.cpython-39-x86_64-linux-gnu.so
./002-xorg.xzm/usr/lib64/python3.9/site-packages/com/google/webp/libwebp.py
./002-xorg.xzm/usr/lib64/python3.9/site-packages/libwebp-0.0-py3.9.egg-info
./002-xorg.xzm/var/lib/pkgtools/packages/libwebp-1.2.2-x86_64-1
You have to run the appropriate removepkg command to uninstall libwebp - not from your system but from your extracted module
You have to run the appropriate installpkg command to install the most recent libwebp - not into your system but into your extracted module folder
create a new updated 002-xorg.xzm module, name it e.g. 002-xorg_libwebp-fix.xzm
Which of the listed libwebp* needs to be updated I do not know.
Added in 43 seconds:
Cave! If you do not know how to update a base module and/or do not know which libwebp* need to be updated wait till ncmprhnsbl releases the official update.
Since Chromium encountered a exploit in the wild using this vulnerability already (see the quote above) best refrain using any Chromium module until you get a fixed version.
Then mark your older Chromium modules as vulnerable when there are reasons to keep older versions like renaming these:
e.g.
Chances are very high that exploits of other known browsers and well known and used programs will appear in the wild as well, e.g. against Firefox, against GIMP etcetera.mv 005-chromium-ungoogled-105.0.5195.125-x86_64-en-GB-1alien-NO-browser.desktop.xzm 005-chromium-ungoogled-LIBWEBP-VULNERABILITY-105.0.5195.125-x86_64-en-GB-1alien-NO-browser.desktop.xzm
Do not put any known vulnerable module of any of the affected programs into your base/ or optional/ folder or they would be activated by next boot by default when in base/ (or via kernel APPEND cheat code when in optional/ ) and the renaming that was meant as a warning and reminder for you would be of no consequence.
On the 2nd page of this thread gomway shared some neat informative links and I put these here as well since I deem them essential enough:
Thanks gomway!gomway wrote: ↑29 Sep 2023, 12:11The WebP 0day: https://blog.isosceles.com/the-webp-0day/
Project Zero: https://googleprojectzero.blogspot.com/
How to identify the threat (with big list of affected and patched apps): https://www.ninjaone.com/blog/webp-0-da ... 2023-5129/
Electron-based vulnerable apps: https://gist.github.com/mttaggart/02ed5 ... 032dd2e7ec