CVE-2023-4863 is a 0-day for webp (libwebp) that everybody is panic patching. LO accepts webp. If it uses Google's libwebp or something descended from it, it may be affected. I am not a coder, so it would do no good for me to look at the source. Please check. See https://arstechnica.com/security/2023/09/with-0-days-hitting-chrome-ios-and-dozens-more-this-month-is-no-software-safe/
Caolán: noticing https://cgit.freedesktop.org/libreoffice/core/commit/?id=8f020443fda691878ac05c47503169b390f34188, thought you might be interested in this one. There's the fix here: https://chromium.googlesource.com/webm/libwebp/+/902bc9190331343b2017211debcec8d2ab87e17a I tried to patch locally but it seems to fail (I suppose it's because I start from 1.3.1, now I don't know if the patch would be easily cherry-pickable) I also noticed tag 1.3.2 on https://chromium.googlesource.com/webm/libwebp. Now I would have preferred 1.3.2 being available at https://developers.google.com/speed/webp/docs/precompiled?hl=en
Yes I suppose it affects LO since we use libwebp 1.3.1
libwebp-1.3.2.tar.gz is available from: https://storage.googleapis.com/downloads.webmproject.org/releases/webp/index.html which makes things straightforward
Caolán McNamara committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/39dc34d33bb01f595fbea214bf3ea315cea5f707 tdf#157231 CVE-2023-4863 upgrade to libwebp-1.3.2.tar.gz It will be available in 24.2.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-7-5": https://git.libreoffice.org/core/commit/ef57819ea96bb02a8e946c6877a7458b35e83f27 tdf#157231 CVE-2023-4863 upgrade to libwebp-1.3.2.tar.gz It will be available in 7.5.7. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Caolán McNamara committed a patch related to this issue. It has been pushed to "libreoffice-7-6": https://git.libreoffice.org/core/commit/118383279b6cb609dc1e2623bd6f42f833ac12bf tdf#157231 CVE-2023-4863 upgrade to libwebp-1.3.2.tar.gz It will be available in 7.6.2. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
fix merged to trunk and stable branches
Thank you for the very quick feedback! :-)
Hallo I did the usual: sudo apt-get update && sudo apt-get upgrade on my debian12 today, and it was updating the libwebp -packages. May I conclude that: Version: 7.4.7.2 / LibreOffice Community Build ID: 40(Build:2) CPU threads: 4; OS: Linux 6.1; UI render: default; VCL: gtk3 Locale: de-DE (de_DE.UTF-8); UI: de-DE Debian package version: 4:7.4.7-1 Calc: threaded are also save? next question: what about 7.6.0.2 (aarch64) via _flatpak_ ?
(In reply to Werner Tietz from comment #9) > Hallo > > I did the usual: > > sudo apt-get update && sudo apt-get upgrade > > on my debian12 today, and it was updating the libwebp -packages. > > May I conclude that: > > Version: 7.4.7.2 / LibreOffice Community > ... > are also save? When typing: apt-cache show libreoffice-core I got: libwebp7 (>= 1.2.4) in "Depends" list so I suppose it uses the last libwebp7 lib from you system. > > next question: what about 7.6.0.2 (aarch64) via _flatpak_ ? About flatpack, I may be wrong but it seems it's a system when dependencies are included in the package so won't use libs from the system (except those related to flatpack). So I'd say it won't use your updated libwebp version. Now I'm not an expert so again, I may be wrong.
Perhaps we should more pro-actively push this to users of compromised versions? Some would consider this a serious problem (as the CVE itself is of high severity)
> LO accepts webp. If it uses Google's libwebp or something descended from it > it may be affected. Can someone explain: 1. In what usage scenario LO would be affected? and 2. What could happen if it is affected? About (1.) - unless I'm mistaken, a maliciously-generated .webp file would not be processed unless the user specifically asked used its URL; saved it to disk and inserted it as an image; or opened a document with this .webp embedded or linked-to. Am I correct? About (2.) - can an exploit potentially cause arbitrary code execution? Or are we certain that this will "merely" crash LO or put junk somewhere?
Eyal: the bug has been fixed in 7.5, 7.6 and master branches. For 7.5 and 7.6, the versions proposed https://www.libreoffice.org/download/download-libreoffice/ contain the fix. Have you got something precise on mind that you expect from LO ? I mean, it's not the first time and won't be the last time we use some libs which contain CVE, the goal is to retrieve new versions of these libs which include the fix as quickly as possible and try to release a new LO version. Idem if the CVE is in LO code.
Thanks for the quick work! Agree that the issue is probably worst in a browser context, though I could see a potential for crashing LO if the buffer overrun in the old libwebp were triggered. Still it was worth fixing.
(In reply to Eyal Rozenberg from comment #12) > 1. In what usage scenario LO would be affected? In the scenario when a user receives and opens a document containing/referencing such a WebP image - just as you rightfully mentioned in your comment. When referencing it (linked), an infobar would appear before its actual loading. > 2. What could happen if it is affected? Since its processing is performed by the affected library, everything that library may do incorrectly may happen inside the LibreOffice process (most likely the effects would be system-specific, from simple crashes to arbitrary code execution).
(In reply to Eyal Rozenberg from comment #11) > Perhaps we should more pro-actively push this to users of compromised > versions? Cloph: I second that; my Windows version 7.6.1 didn't tell me about an available update today - it could be that something else is at play (I don't know how often the checks are made), but if it is our usual "we advertise it two weeks later for auto-update", then this is likely a case worth an exception?
FYI, very interesting to read the background, details, connections of this bug and the finding of it: Isosceles/Ben Hawkes Blog, Sep 21, 2023: The WebP 0day https://blog.isosceles.com/the-webp-0day/