diff options
author | Soumya Sambu <soumya.sambu@windriver.com> | 2023-11-03 08:55:47 +0000 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-11-17 06:00:32 -1000 |
commit | a405e12bebcb5ddea7ac0e2d088ea3f083d9eee1 (patch) | |
tree | 70c7223e00e1ca237fc07dab8e2538c2ab9c0bc7 /meta | |
parent | be04eefcaf2e28270fecc370d382c7fb82ec9372 (diff) | |
download | poky-a405e12bebcb5ddea7ac0e2d088ea3f083d9eee1.tar.gz |
libwebp: Fix CVE-2023-4863
Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187
allowed a remote attacker to perform an out of bounds memory write via
a crafted HTML page.
Removed CVE-2023-5129.patch as CVE-2023-5129 is duplicate of CVE-2023-4863.
CVE: CVE-2023-4863
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/tracker/CVE-2023-4863
https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12
(From OE-Core rev: b69bef1169cb33c153384be81845eaf903dc1570)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch (renamed from meta/recipes-multimedia/webp/files/CVE-2023-5129.patch) | 27 | ||||
-rw-r--r-- | meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch | 53 | ||||
-rw-r--r-- | meta/recipes-multimedia/webp/libwebp_1.1.0.bb | 3 |
3 files changed, 66 insertions, 17 deletions
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch index ffff068c56..419b12f7d9 100644 --- a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch | |||
@@ -1,7 +1,7 @@ | |||
1 | From 12b11893edf6c201710ebeee7c84743a8573fad6 Mon Sep 17 00:00:00 2001 | 1 | From 902bc9190331343b2017211debcec8d2ab87e17a Mon Sep 17 00:00:00 2001 |
2 | From: Vincent Rabaud <vrabaud@google.com> | 2 | From: Vincent Rabaud <vrabaud@google.com> |
3 | Date: Thu, 7 Sep 2023 21:16:03 +0200 | 3 | Date: Thu, 7 Sep 2023 21:16:03 +0200 |
4 | Subject: [PATCH 1/1] Fix OOB write in BuildHuffmanTable. | 4 | Subject: [PATCH 1/2] Fix OOB write in BuildHuffmanTable. |
5 | 5 | ||
6 | First, BuildHuffmanTable is called to check if the data is valid. | 6 | First, BuildHuffmanTable is called to check if the data is valid. |
7 | If it is and the table is not big enough, more memory is allocated. | 7 | If it is and the table is not big enough, more memory is allocated. |
@@ -12,16 +12,11 @@ codes) streams are still decodable. | |||
12 | Bug: chromium:1479274 | 12 | Bug: chromium:1479274 |
13 | Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741 | 13 | Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741 |
14 | 14 | ||
15 | Notice that it references different CVE id: | 15 | CVE: CVE-2023-4863 |
16 | https://nvd.nist.gov/vuln/detail/CVE-2023-5129 | ||
17 | which was marked as a rejected duplicate of: | ||
18 | https://nvd.nist.gov/vuln/detail/CVE-2023-4863 | ||
19 | but it's the same issue. Hence update CVE ID CVE-2023-4863 | ||
20 | 16 | ||
21 | CVE: CVE-2023-5129 CVE-2023-4863 | 17 | Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a] |
22 | Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/2af26267cdfcb63a88e5c74a85927a12d6ca1d76] | 18 | |
23 | Signed-off-by: Colin McAllister <colinmca242@gmail.com> | 19 | Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> |
24 | Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> | ||
25 | --- | 20 | --- |
26 | src/dec/vp8l_dec.c | 46 ++++++++++--------- | 21 | src/dec/vp8l_dec.c | 46 ++++++++++--------- |
27 | src/dec/vp8li_dec.h | 2 +- | 22 | src/dec/vp8li_dec.h | 2 +- |
@@ -30,7 +25,7 @@ Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> | |||
30 | 4 files changed, 129 insertions(+), 43 deletions(-) | 25 | 4 files changed, 129 insertions(+), 43 deletions(-) |
31 | 26 | ||
32 | diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c | 27 | diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c |
33 | index 93615d4e..0d38314d 100644 | 28 | index 93615d4..0d38314 100644 |
34 | --- a/src/dec/vp8l_dec.c | 29 | --- a/src/dec/vp8l_dec.c |
35 | +++ b/src/dec/vp8l_dec.c | 30 | +++ b/src/dec/vp8l_dec.c |
36 | @@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths( | 31 | @@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths( |
@@ -178,7 +173,7 @@ index 93615d4e..0d38314d 100644 | |||
178 | assert(dec->hdr_.num_htree_groups_ > 0); | 173 | assert(dec->hdr_.num_htree_groups_ > 0); |
179 | 174 | ||
180 | diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h | 175 | diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h |
181 | index 72b2e861..32540a4b 100644 | 176 | index 72b2e86..32540a4 100644 |
182 | --- a/src/dec/vp8li_dec.h | 177 | --- a/src/dec/vp8li_dec.h |
183 | +++ b/src/dec/vp8li_dec.h | 178 | +++ b/src/dec/vp8li_dec.h |
184 | @@ -51,7 +51,7 @@ typedef struct { | 179 | @@ -51,7 +51,7 @@ typedef struct { |
@@ -191,7 +186,7 @@ index 72b2e861..32540a4b 100644 | |||
191 | 186 | ||
192 | typedef struct VP8LDecoder VP8LDecoder; | 187 | typedef struct VP8LDecoder VP8LDecoder; |
193 | diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c | 188 | diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c |
194 | index 0cba0fbb..9efd6283 100644 | 189 | index 0cba0fb..9efd628 100644 |
195 | --- a/src/utils/huffman_utils.c | 190 | --- a/src/utils/huffman_utils.c |
196 | +++ b/src/utils/huffman_utils.c | 191 | +++ b/src/utils/huffman_utils.c |
197 | @@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits, | 192 | @@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits, |
@@ -322,7 +317,7 @@ index 0cba0fbb..9efd6283 100644 | |||
322 | + } | 317 | + } |
323 | +} | 318 | +} |
324 | diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h | 319 | diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h |
325 | index 13b7ad1a..98415c53 100644 | 320 | index 13b7ad1..98415c5 100644 |
326 | --- a/src/utils/huffman_utils.h | 321 | --- a/src/utils/huffman_utils.h |
327 | +++ b/src/utils/huffman_utils.h | 322 | +++ b/src/utils/huffman_utils.h |
328 | @@ -43,6 +43,29 @@ typedef struct { | 323 | @@ -43,6 +43,29 @@ typedef struct { |
@@ -367,5 +362,5 @@ index 13b7ad1a..98415c53 100644 | |||
367 | 362 | ||
368 | #ifdef __cplusplus | 363 | #ifdef __cplusplus |
369 | -- | 364 | -- |
370 | 2.34.1 | 365 | 2.40.0 |
371 | 366 | ||
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch new file mode 100644 index 0000000000..c1eedb6100 --- /dev/null +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001 | ||
2 | From: Vincent Rabaud <vrabaud@google.com> | ||
3 | Date: Mon, 11 Sep 2023 16:06:08 +0200 | ||
4 | Subject: [PATCH 2/2] Fix invalid incremental decoding check. | ||
5 | |||
6 | The first condition is only necessary if we have not read enough | ||
7 | (enough being defined by src_last, not src_end which is the end | ||
8 | of the image). | ||
9 | The second condition now fits the comment below: "if not | ||
10 | incremental, and we are past the end of buffer". | ||
11 | |||
12 | BUG=oss-fuzz:62136 | ||
13 | |||
14 | Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f | ||
15 | |||
16 | CVE: CVE-2023-4863 | ||
17 | |||
18 | Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520] | ||
19 | |||
20 | Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> | ||
21 | --- | ||
22 | src/dec/vp8l_dec.c | 15 +++++++++++++-- | ||
23 | 1 file changed, 13 insertions(+), 2 deletions(-) | ||
24 | |||
25 | diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c | ||
26 | index 0d38314..684a5b6 100644 | ||
27 | --- a/src/dec/vp8l_dec.c | ||
28 | +++ b/src/dec/vp8l_dec.c | ||
29 | @@ -1237,9 +1237,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data, | ||
30 | } | ||
31 | |||
32 | br->eos_ = VP8LIsEndOfStream(br); | ||
33 | - if (dec->incremental_ && br->eos_ && src < src_end) { | ||
34 | + // In incremental decoding: | ||
35 | + // br->eos_ && src < src_last: if 'br' reached the end of the buffer and | ||
36 | + // 'src_last' has not been reached yet, there is not enough data. 'dec' has to | ||
37 | + // be reset until there is more data. | ||
38 | + // !br->eos_ && src < src_last: this cannot happen as either the buffer is | ||
39 | + // fully read, either enough has been read to reach 'src_last'. | ||
40 | + // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go | ||
41 | + // beyond 'src_last' in case the image is cropped and an LZ77 goes further. | ||
42 | + // The buffer might have been enough or there is some left. 'br->eos_' does | ||
43 | + // not matter. | ||
44 | + assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last); | ||
45 | + if (dec->incremental_ && br->eos_ && src < src_last) { | ||
46 | RestoreState(dec); | ||
47 | - } else if (!br->eos_) { | ||
48 | + } else if ((dec->incremental_ && src >= src_last) || !br->eos_) { | ||
49 | // Process the remaining rows corresponding to last row-block. | ||
50 | if (process_func != NULL) { | ||
51 | process_func(dec, row > last_row ? last_row : row); | ||
52 | -- | ||
53 | 2.40.0 | ||
diff --git a/meta/recipes-multimedia/webp/libwebp_1.1.0.bb b/meta/recipes-multimedia/webp/libwebp_1.1.0.bb index 27c5d92c92..88c36cb76c 100644 --- a/meta/recipes-multimedia/webp/libwebp_1.1.0.bb +++ b/meta/recipes-multimedia/webp/libwebp_1.1.0.bb | |||
@@ -21,7 +21,8 @@ UPSTREAM_CHECK_URI = "http://downloads.webmproject.org/releases/webp/index.html" | |||
21 | 21 | ||
22 | SRC_URI += " \ | 22 | SRC_URI += " \ |
23 | file://CVE-2023-1999.patch \ | 23 | file://CVE-2023-1999.patch \ |
24 | file://CVE-2023-5129.patch \ | 24 | file://CVE-2023-4863-0001.patch \ |
25 | file://CVE-2023-4863-0002.patch \ | ||
25 | " | 26 | " |
26 | 27 | ||
27 | EXTRA_OECONF = " \ | 28 | EXTRA_OECONF = " \ |