Closed Bug 1852649 (CVE-2023-4863) Opened 10 months ago Closed 10 months ago

Out-of-bounds write in BuildHuffmanTable

Categories

(Core :: Graphics: ImageLib, defect, P1)

Product:
Core
Component:
Graphics: ImageLib
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
119 Branch
Tracking Flags:
Tracking Status
firefox-esr102 117+ verified
firefox-esr115 117+ verified
firefox117 + verified
firefox118 + verified
firefox119 + verified

People

(Reporter: mccr8, Assigned: RyanVM)

References

Details

(4 keywords, Whiteboard: [land test after chrome bug is public][adv-main117.0.1+][adv-esr115.2.1+][adv-esr102.15.1+])

Crash Data

Attachments

(4 files, 1 obsolete file)

Bug 1852649 - Cherry-pick upstream libwebp fix.
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
RyanVM
: approval-mozilla-release+
RyanVM
: approval-mozilla-esr102+
RyanVM
: approval-mozilla-esr115+
mccr8
: sec-approval+
Details | Review
POC from chrome bug (use ASAN build)
1.05 KB, image/webp
Details
Bug 1852649 - Add crashtest. r=tnikkel
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
312 bytes, text/plain
Details

Chromium posted an update today that includes the following:

[$NA][1479274] Critical CVE-2023-4863: Heap buffer overflow in WebP. Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School on 2023-09-06 [...] Google is aware that an exploit for CVE-2023-4863 exists in the wild.

I saw on Twitter that the patch is here and it looks like code we ship.

Based on the Apple reference, I'm guessing this could be the zero day Apple patched recently.

[Tracking Requested - why for this release]: Security vulnerability being exploited in the wild, though probably in Apple or Chrome's products.

status-firefox117: --- → affected
status-firefox118: --- → affected
status-firefox119: --- → affected
status-firefox-esr102: --- → affected
status-firefox-esr115: --- → affected
tracking-firefox117: --- → ?
tracking-firefox-esr115: --- → ?

RyanVM has a rebased patch.

If RyanVM posts the patch I can review tonight.

Try push (though job ingestion seems backed up tonight...)
https://treeherder.mozilla.org/jobs?repo=try&revision=f1534cbd5c9a741af4d6948cbc5f7c2c145798e7

Assignee: nobody → ryanvm
Status: NEW → ASSIGNED

The Apple issue I was thinking of is CVE-2023-41064 with the description "A buffer overflow issue was addressed with improved memory handling. [...] Processing a maliciously crafted image may lead to arbitrary code execution.". That's consistent with this, but I don't know if it is actually the same thing.

Comment on attachment 9352586 [details]
Bug 1852649 - Cherry-pick upstream libwebp fix.

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Presumably easily since this was already being exploited in other browsers. Not sure if it'd need a sandbox escape to go with it to do any real damage though?
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Grafts cleanly all the way to ESR102
  • How likely is this patch to cause regressions; how much testing does it need?: Unsure. Seems to pass tests on Try.
  • Is Android affected?: Yes
Attachment #9352586 - Flags: sec-approval?

Comment on attachment 9352586 [details]
Bug 1852649 - Cherry-pick upstream libwebp fix.

I'm probably not the ideal person to give this sec-approval, but nobody else seems to be around and the trickiest part of it is coordinating the release stuff, which Ryan is on top of.

Attachment #9352586 - Flags: sec-approval? → sec-approval+
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/mozilla-central/rev/80e4521e9b09
Cherry-pick upstream libwebp fix. r=tnikkel, a=RyanVM
https://hg.mozilla.org/releases/mozilla-esr115/rev/96bd93fca47a (default branch for 115.3esr)
https://hg.mozilla.org/releases/mozilla-esr115/rev/2e61ec742c20 (FIREFOX_ESR_115_2_X_RELBRANCH)
Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
status-firefox117: affectedfixed
status-firefox118: affectedfixed
status-firefox119: affectedfixed
status-firefox-esr102: affectedfixed
status-firefox-esr115: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 119 Branch
Attachment #9352586 - Flags: approval-mozilla-release+
Attachment #9352586 - Flags: approval-mozilla-esr115+
Attachment #9352586 - Flags: approval-mozilla-esr102+
Attachment #9352586 - Flags: approval-mozilla-beta+
Whiteboard: [land test after chrome bug is public]
Crash Signature: [@ ReplicateValue ]
Keywords: testcase
Attached file advisory.txt (obsolete) —
Attachment #9352622 - Attachment description: advsiory.txt → advisory.txt
Attachment #9352622 - Attachment is obsolete: true
Attached file advisory.txt

Can we do an analysis of what it takes to hit this with fuzzing and why it might not have been found previously?

Flags: needinfo?(twsmith)
Whiteboard: [land test after chrome bug is public] → [land test after chrome bug is public][reminder-test 2023-12-12]

I have used the following steps and reproduced a tab crash:

  1. Download and open asan build
  2. Load the malicious webp image: https://bugzilla.mozilla.org/attachment.cgi?id=9352592
    Actual: Tab crash.
    Expected: Tab does NOT crash.

We have reproduced it on Windows 10 and Ubuntu 20 with Nightly v119.0a1 from 2023-09-11-09-18-54, Beta v118.0b7 asan, Release v117.0.1 build 1 and verified this fix in Nightly v119.0a1 from 2023-09-12-04-12-49, Beta v118.0b8, Release v117.0.1 build 2, ESR v115.2.1esr, ESR v115.3.0esr and ESR v102.15.1esr.
Mac OS asan builds would not run so we could not reproduce or verify on MacOS.

Status: RESOLVED → VERIFIED
status-firefox117: fixedverified
status-firefox118: fixedverified
status-firefox119: fixedverified
status-firefox-esr102: fixedverified
status-firefox-esr115: fixedverified
OS: Unspecified → All
Hardware: Unspecified → Desktop

(In reply to Christian Holler (:decoder) from comment #20)

Can we do an analysis of what it takes to hit this with fuzzing and why it might not have been found previously?

The existing in-tree fuzzer can "detect" this issue (replaying the test case) but it is unclear why it did not find it. There are more fuzzers in oss-fuzz using multiple engines (afl++, etc) which also failed to find this issue. Given the source of this issue this is could be "by design" or the corpus data is simply insufficient in all cases. We can open another bug for additional analysis if needed.

Flags: needinfo?(twsmith)

2 months ago, RyanVM placed a reminder on the bug using the whiteboard tag [reminder-test 2023-12-12] .

RyanVM, please refer to the original comment to better understand the reason for the reminder.

Flags: needinfo?(ryanvm)
Whiteboard: [land test after chrome bug is public][reminder-test 2023-12-12] → [land test after chrome bug is public]
Flags: needinfo?(ryanvm)
Whiteboard: [land test after chrome bug is public] → [land test after chrome bug is public][reminder-test 2024-02-12]

The Chromium bug (in the See Also) is public now.

Flags: needinfo?(ryanvm)
Flags: needinfo?(ryanvm)
Whiteboard: [land test after chrome bug is public][reminder-test 2024-02-12] → [land test after chrome bug is public]
Group: core-security-release
Alias: CVE-2023-4863
Blocks: 1901352
Whiteboard: [land test after chrome bug is public] → [land test after chrome bug is public][adv-main117.0.1+][adv-esr115.2.1+][adv-esr102.15.1+]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: