oss-sec mailing list archives

Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec

From: Emilio Pozuelo Monfort <pochu27 () gmail com>
Date: Thu, 28 Sep 2023 17:49:08 +0200

On 28/09/2023 14:36, Jeffrey Walton wrote:

On Tue, Sep 26, 2023 at 11:37 AM Solar Designer <solar () openwall com> wrote:


It was great to hear from Vincent that the newer libwebp changes are
just "Clean-ups, no security issues there."  Yet I think it would also
be great if someone in here double-checks that.

Regarding the assert failure detected by oss-fuzz, "A release build
would not be negatively affected."  libwebp does specify -DNDEBUG by
default in:

$ fgrep -rl DNDEBUG .
./Makefile.vc
./xcframeworkbuild.sh
./iosbuild.sh
./configure.ac
./makefile.unix

and there's also cmake support, but apparently cmake sets -DNDEBUG for
release builds by default.  So at least this statement does appear to be
true for libwebp itself as built via the above means.

However, there's also Gradle support, and the gradle* files do not
mention NDEBUG.

Also, I wonder if there are other projects building code from libwebp
via different build environments.

So there might be (a small minority of) uses of libwebp where the assert
exists in a release build of some project.


Crypto++ caught a CVE because use of -DNDEBUG was not documented. The
library's build system used -DNDEBUG (like libwebp), but folks who
ported to other build systems did not use it. In my mind's eye, others
who did not use the -DNDEBUG flag should have caught a CVE, not
Crypto++. Also see CVE-2016-7420 and
<http://seclists.org/oss-sec/2016/q3/520>.

Crypto++ eventually took away the footgun by supplying its own
CRYPTOPP_ASSERT that required a user to supply a switch to engage
asserts. Asserts were no longer enabled by default when someone
omitted -DNDEBUG. Also see
<https://github.com/weidai11/cryptopp/blob/master/trap.h>.

I've never seen a CVE for documentation before or since.


Here's a recent one:

https://www.cve.org/CVERecord?id=CVE-2023-0466

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908

Cheers,
Emilio

Current thread:

Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec, (continued)
- - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Solar Designer (Sep 22)
    - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Vincent Rabaud (Sep 22)
    - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Solar Designer (Sep 22)
    - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Vincent Rabaud (Sep 22)
  - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Marc Deslauriers (Sep 22)
    - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Rodrigo Freire (Sep 22)
- Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Salvatore Bonaccorso (Sep 26)
  - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Solar Designer (Sep 26)
    - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Salvatore Bonaccorso (Sep 28)
    - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Jeffrey Walton (Sep 28)
    - Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Emilio Pozuelo Monfort (Sep 28)