Discussion:
libwebp security hole and Mageia
(too old to reply)
William Unruh
2023-10-16 20:28:49 UTC
Permalink
At my university, we have just gotten a panicy email about a libwebp
wide ranging vulnerability, Unfortunatly although long on dire warnings,
it was short on facts. It seemed to say that that there could be many
programs (in addition to Chrome) vulnerable (including all browsers, not just chrome)
, and seemed to imply that many
programs had compiled libwebp into the program.
Mageian has a /lib64/libwebp libraries which date back to Sept 26 2023,
and there seems to be an alert dated Oct 3
(https://lwn.net/Articles/946306/) which seems to impy that Mageia had
fixed this bug. But the week difference between libwebp files and the
advisory makes me wonder if it has been fixed in Mageia already.

Any insight and advice would be helpful.
David W. Hodgins
2023-10-16 21:43:15 UTC
Permalink
Post by William Unruh
At my university, we have just gotten a panicy email about a libwebp
wide ranging vulnerability, Unfortunatly although long on dire warnings,
it was short on facts. It seemed to say that that there could be many
programs (in addition to Chrome) vulnerable (including all browsers, not just chrome)
, and seemed to imply that many
programs had compiled libwebp into the program.
Mageian has a /lib64/libwebp libraries which date back to Sept 26 2023,
and there seems to be an alert dated Oct 3
(https://lwn.net/Articles/946306/) which seems to impy that Mageia had
fixed this bug. But the week difference between libwebp files and the
advisory makes me wonder if it has been fixed in Mageia already.
Any insight and advice would be helpful.
Mageia does not bundle libwebp in the various browsers or other packages, so it
only has the one package for the system that had to be fixed, instead of having
to fix every program that processes content from the web.

Mageia makes proper usage of libification. Flatpak and other things like rust's
cargo system that bundle a copy of a working version of every library used by
a program require much more work for security updates. Instead of updating one
package, dozens of packages have to be updated. Such systems are a security
nightmare. There are exceptions where some libraries are bundled, but only a
few, and libwebp is not used by any of those.

While proper usage of libification is much better from a security point of view,
it's also the main reason that Mageia uses a stable release model instead of a
rolling release model. With a rolling release, the problem is similar to using
bundled libraries. Much more work involved in every library package update.

Regards, Dave Hodgins
William Unruh
2023-10-18 21:14:10 UTC
Permalink
Post by David W. Hodgins
Post by William Unruh
At my university, we have just gotten a panicy email about a libwebp
wide ranging vulnerability, Unfortunatly although long on dire warnings,
it was short on facts. It seemed to say that that there could be many
programs (in addition to Chrome) vulnerable (including all browsers, not just chrome)
, and seemed to imply that many
programs had compiled libwebp into the program.
Mageian has a /lib64/libwebp libraries which date back to Sept 26 2023,
and there seems to be an alert dated Oct 3
(https://lwn.net/Articles/946306/) which seems to impy that Mageia had
fixed this bug. But the week difference between libwebp files and the
advisory makes me wonder if it has been fixed in Mageia already.
Any insight and advice would be helpful.
Mageia does not bundle libwebp in the various browsers or other packages, so it
only has the one package for the system that had to be fixed, instead of having
to fix every program that processes content from the web.
Mageia makes proper usage of libification. Flatpak and other things like rust's
cargo system that bundle a copy of a working version of every library used by
a program require much more work for security updates. Instead of updating one
package, dozens of packages have to be updated. Such systems are a security
nightmare. There are exceptions where some libraries are bundled, but only a
few, and libwebp is not used by any of those.
While proper usage of libification is much better from a security point of view,
it's also the main reason that Mageia uses a stable release model instead of a
rolling release model. With a rolling release, the problem is similar to using
bundled libraries. Much more work involved in every library package update.
Regards, Dave Hodgins
I note that there is also a 32 bit version for libwebp, which is dated
Sep 6, not Sept 26. Does it also contain the latest fix for this
security flaw?
David W. Hodgins
2023-10-18 22:40:38 UTC
Permalink
Post by William Unruh
I note that there is also a 32 bit version for libwebp, which is dated
Sep 6, not Sept 26. Does it also contain the latest fix for this
security flaw?
Where are you getting that date from?

On m8 x86_64 with 32 bit repos enabled ...
$ rpm -q -i lib64webp7 libwebp7|grep ^'Build Date'
Build Date : 2023-09-14T09:54:41 EDT
Build Date : 2023-09-14T09:55:36 EDT

On m9 x86_64 ...
$ rpm -q -i lib64webp7|grep ^'Build Date'
Build Date : 2023-09-14T09:54:30 EDT

On m9 i586 ...
$ rpm -q -i libwebp7|grep ^'Build Date'
Build Date : 2023-09-14T09:54:37 EDT

Regards, Dave Hodgins

TJ
2023-10-16 23:03:09 UTC
Permalink
Post by William Unruh
At my university, we have just gotten a panicy email about a libwebp
wide ranging vulnerability, Unfortunatly although long on dire warnings,
it was short on facts. It seemed to say that that there could be many
programs (in addition to Chrome) vulnerable (including all browsers, not just chrome)
, and seemed to imply that many
programs had compiled libwebp into the program.
Mageian has a /lib64/libwebp libraries which date back to Sept 26 2023,
and there seems to be an alert dated Oct 3
(https://lwn.net/Articles/946306/) which seems to impy that Mageia had
fixed this bug. But the week difference between libwebp files and the
advisory makes me wonder if it has been fixed in Mageia already.
Any insight and advice would be helpful.
https://www.cpomagazine.com/cyber-security/documented-libwebp-security-vulnerability-looks-to-be-part-of-pegasus-blastpass-attack-chain/
identifies the vulnerability as CVE-2023-4863.

Searching Mageia's Bugzilla,
https://bugs.mageia.org/show_bug.cgi?id=32280 shows that this was fixed
in both Mageia 8 and Mageia 9, and the update was pushed on October 3.

TJ
William Unruh
2023-10-17 02:55:16 UTC
Permalink
Post by TJ
Post by William Unruh
At my university, we have just gotten a panicy email about a libwebp
wide ranging vulnerability, Unfortunatly although long on dire warnings,
it was short on facts. It seemed to say that that there could be many
programs (in addition to Chrome) vulnerable (including all browsers, not just chrome)
, and seemed to imply that many
programs had compiled libwebp into the program.
Mageian has a /lib64/libwebp libraries which date back to Sept 26 2023,
and there seems to be an alert dated Oct 3
(https://lwn.net/Articles/946306/) which seems to impy that Mageia had
fixed this bug. But the week difference between libwebp files and the
advisory makes me wonder if it has been fixed in Mageia already.
Any insight and advice would be helpful.
https://www.cpomagazine.com/cyber-security/documented-libwebp-security-vulnerability-looks-to-be-part-of-pegasus-blastpass-attack-chain/
identifies the vulnerability as CVE-2023-4863.
Searching Mageia's Bugzilla,
https://bugs.mageia.org/show_bug.cgi?id=32280 shows that this was fixed
in both Mageia 8 and Mageia 9, and the update was pushed on October 3.
But the latest lipwebp packages have a date of Sep 26, not Oct 3. I
guess this could mean that they were compiled on Sep 26 but then,
brcause of testing, the package was only put out (without recompilation)
on Oct 3.
Post by TJ
TJ
David W. Hodgins
2023-10-17 04:20:02 UTC
Permalink
Post by William Unruh
But the latest lipwebp packages have a date of Sep 26, not Oct 3. I
guess this could mean that they were compiled on Sep 26 but then,
brcause of testing, the package was only put out (without recompilation)
on Oct 3.
https://bugs.mageia.org/show_bug.cgi?id=32317#c5 (Sept. 29th) is when we became
aware it was a zero day bug, which is after it was actually fixed.

https://www.cve.org/CVERecord?id=CVE-2023-5129 was rejected as a dup of
CVE-2023-4863.

The updates that fixed it for Mageia users were in bug 32258 (firefox/tb), 32317
(chromium) and 32280 for libwebp itself.

Regards, Dave Hodgins
Loading...