Out-of-bounds write in BuildHuffmanTable
Categories
(Core :: Graphics: ImageLib, defect, P1)
Tracking
()
People
(Reporter: mccr8, Assigned: RyanVM)
References
Details
(4 keywords, Whiteboard: [land test after chrome bug is public][adv-main117.0.1+][adv-esr115.2.1+][adv-esr102.15.1+])
Crash Data
Attachments
(4 files, 1 obsolete file)
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-release+
RyanVM
:
approval-mozilla-esr102+
RyanVM
:
approval-mozilla-esr115+
mccr8
:
sec-approval+
|
Details | Review |
1.05 KB,
image/webp
|
Details | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
312 bytes,
text/plain
|
Details |
Chromium posted an update today that includes the following:
[$NA][1479274] Critical CVE-2023-4863: Heap buffer overflow in WebP. Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School on 2023-09-06 [...] Google is aware that an exploit for CVE-2023-4863 exists in the wild.
I saw on Twitter that the patch is here and it looks like code we ship.
Based on the Apple reference, I'm guessing this could be the zero day Apple patched recently.
Reporter | ||
Comment 1•10 months ago
|
||
[Tracking Requested - why for this release]: Security vulnerability being exploited in the wild, though probably in Apple or Chrome's products.
Reporter | ||
Comment 2•10 months ago
|
||
RyanVM has a rebased patch.
Comment 3•10 months ago
|
||
If RyanVM posts the patch I can review tonight.
Assignee | ||
Comment 4•10 months ago
|
||
Assignee | ||
Comment 5•10 months ago
|
||
Try push (though job ingestion seems backed up tonight...)
https://treeherder.mozilla.org/jobs?repo=try&revision=f1534cbd5c9a741af4d6948cbc5f7c2c145798e7
Updated•10 months ago
|
Reporter | ||
Comment 6•10 months ago
|
||
The Apple issue I was thinking of is CVE-2023-41064 with the description "A buffer overflow issue was addressed with improved memory handling. [...] Processing a maliciously crafted image may lead to arbitrary code execution.". That's consistent with this, but I don't know if it is actually the same thing.
Assignee | ||
Comment 7•10 months ago
|
||
Comment on attachment 9352586 [details]
Bug 1852649 - Cherry-pick upstream libwebp fix.
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Presumably easily since this was already being exploited in other browsers. Not sure if it'd need a sandbox escape to go with it to do any real damage though?
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Grafts cleanly all the way to ESR102
- How likely is this patch to cause regressions; how much testing does it need?: Unsure. Seems to pass tests on Try.
- Is Android affected?: Yes
Reporter | ||
Comment 8•10 months ago
|
||
Comment on attachment 9352586 [details]
Bug 1852649 - Cherry-pick upstream libwebp fix.
I'm probably not the ideal person to give this sec-approval, but nobody else seems to be around and the trickiest part of it is coordinating the release stuff, which Ryan is on top of.
Assignee | ||
Updated•10 months ago
|
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/mozilla-central/rev/80e4521e9b09 Cherry-pick upstream libwebp fix. r=tnikkel, a=RyanVM
Comment 10•10 months ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/012efaa3025f
Comment 11•10 months ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-release/rev/e245ca2125a6
Comment 12•10 months ago
•
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-esr115/rev/96bd93fca47a (default branch for 115.3esr)
Comment 13•10 months ago
•
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-esr115/rev/2e61ec742c20 (FIREFOX_ESR_115_2_X_RELBRANCH)
Comment 14•10 months ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-esr102/rev/e6d531e48744
Assignee | ||
Updated•10 months ago
|
Assignee | ||
Updated•10 months ago
|
Updated•10 months ago
|
Comment 16•10 months ago
|
||
Assignee | ||
Comment 17•10 months ago
|
||
Assignee | ||
Updated•10 months ago
|
Comment 18•10 months ago
|
||
Updated•10 months ago
|
Comment 19•10 months ago
|
||
Comment 20•10 months ago
|
||
Can we do an analysis of what it takes to hit this with fuzzing and why it might not have been found previously?
Assignee | ||
Updated•10 months ago
|
Comment 21•10 months ago
•
|
||
I have used the following steps and reproduced a tab crash:
- Download and open asan build
- Load the malicious webp image: https://bugzilla.mozilla.org/attachment.cgi?id=9352592
Actual: Tab crash.
Expected: Tab does NOT crash.
We have reproduced it on Windows 10 and Ubuntu 20 with Nightly v119.0a1 from 2023-09-11-09-18-54, Beta v118.0b7 asan, Release v117.0.1 build 1 and verified this fix in Nightly v119.0a1 from 2023-09-12-04-12-49, Beta v118.0b8, Release v117.0.1 build 2, ESR v115.2.1esr, ESR v115.3.0esr and ESR v102.15.1esr.
Mac OS asan builds would not run so we could not reproduce or verify on MacOS.
Comment 22•10 months ago
|
||
(In reply to Christian Holler (:decoder) from comment #20)
Can we do an analysis of what it takes to hit this with fuzzing and why it might not have been found previously?
The existing in-tree fuzzer can "detect" this issue (replaying the test case) but it is unclear why it did not find it. There are more fuzzers in oss-fuzz using multiple engines (afl++, etc) which also failed to find this issue. Given the source of this issue this is could be "by design" or the corpus data is simply insufficient in all cases. We can open another bug for additional analysis if needed.
Comment 23•7 months ago
|
||
2 months ago, RyanVM placed a reminder on the bug using the whiteboard tag [reminder-test 2023-12-12]
.
RyanVM, please refer to the original comment to better understand the reason for the reminder.
Assignee | ||
Updated•7 months ago
|
Reporter | ||
Comment 24•7 months ago
|
||
The Chromium bug (in the See Also) is public now.
Assignee | ||
Updated•7 months ago
|
Comment 25•7 months ago
|
||
Pushed by rvandermeulen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/46781343dd7b Add crashtest. r=tnikkel
![]() |
||
Comment 26•7 months ago
|
||
Updated•6 months ago
|
Updated•6 months ago
|
Updated•28 days ago
|
Updated•15 days ago
|
Description
•