libwebp related vulnerability #518

Closed
opened 2023-09-29 10:19:35 +13:00 by mikedilger · 6 comments
mikedilger commented 2023-09-29 10:19:35 +13:00 (Migrated from github.com)

GOSSIP USERS: SECURITY ALERT

There is an UNPATCHED vulnerability in libwebp that allows a malicious image to infect your computer. This affects gossip, as well as countless other programs.
Normally we wouldn't announce an active vulnerability until it is patched and there is a solution, but this news is already widespread.

Please go to your settings and uncheck "Render all media inline automatically". Only click to view media from people you trust.

We are working towards a better understanding of this, and a fix.

Please coorespond with nostr:npub1acg6thl5psv62405rljzkj8spesceyfz2c32udakc2ak0dmvfeyse9p35c as this account is only used for announcements and is not watched.

Related security alerts:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863

More info
https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-imageio-webp-zero-days
https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/

GOSSIP USERS: SECURITY ALERT There is an UNPATCHED vulnerability in libwebp that allows a malicious image to infect your computer. This affects gossip, as well as countless other programs. Normally we wouldn't announce an active vulnerability until it is patched and there is a solution, but this news is already widespread. Please go to your settings and uncheck "Render all media inline automatically". Only click to view media from people you trust. We are working towards a better understanding of this, and a fix. Please coorespond with nostr:npub1acg6thl5psv62405rljzkj8spesceyfz2c32udakc2ak0dmvfeyse9p35c as this account is only used for announcements and is not watched. Related security alerts: https://nvd.nist.gov/vuln/detail/CVE-2023-4863 More info https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-imageio-webp-zero-days https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/
mikedilger commented 2023-09-29 10:19:46 +13:00 (Migrated from github.com)

UPDATE: Images are ok. Images are rendered via a rust library that does not have this vulnerability. It is videos that could be suspect.

If your build of gossip does not include the 'video-ffmpeg' feature, then it doesn't use the libwebp library. You can check by running 'ldd' on the binary. Here is ldd run against a gossip binary that has not enabled that feature:

myr gossip] ldd target/debug/gossip
linux-vdso.so.1 (0x00007ffefcd15000)
libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007f7e98ddb000)
libm.so.6 => /usr/lib/libm.so.6 (0x00007f7e98cee000)
libc.so.6 => /usr/lib/libc.so.6 (0x00007f7e93200000)
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007f7e98e39000)

If instead you see something like this:
libwebp.so.7 => /usr/lib/libwebp.so.7 (0x00007efefa52c000)
then your client may be vulnerable.

I could use help understanding this vulnerability.

UPDATE: Images are ok. Images are rendered via a rust library that does not have this vulnerability. It is videos that could be suspect. If your build of gossip does not include the 'video-ffmpeg' feature, then it doesn't use the libwebp library. You can check by running 'ldd' on the binary. Here is ldd run against a gossip binary that has not enabled that feature: myr gossip] ldd target/debug/gossip linux-vdso.so.1 (0x00007ffefcd15000) libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007f7e98ddb000) libm.so.6 => /usr/lib/libm.so.6 (0x00007f7e98cee000) libc.so.6 => /usr/lib/libc.so.6 (0x00007f7e93200000) /lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007f7e98e39000) If instead you see something like this: libwebp.so.7 => /usr/lib/libwebp.so.7 (0x00007efefa52c000) then your client may be vulnerable. I could use help understanding this vulnerability.
mikedilger commented 2023-09-29 10:21:03 +13:00 (Migrated from github.com)

It is strange that the webm project hasn't got any commits recently fixing this: https://github.com/webmproject/libwebp/commits/main
... that maybe the bug isn't actually in libwebp, but is in the way libwebp was being used by everybody.

It is strange that the webm project hasn't got any commits recently fixing this: https://github.com/webmproject/libwebp/commits/main ... that maybe the bug isn't actually in libwebp, but is in the way libwebp was being used by everybody.
mikedilger commented 2023-09-29 10:43:13 +13:00 (Migrated from github.com)

Since this is a bug in an OS provided dynamically linked library, and not in gossip, this issue is resolved.

Since this is a bug in an OS provided dynamically linked library, and not in gossip, this issue is resolved.
bu5hm4nn commented 2023-10-03 12:32:23 +13:00 (Migrated from github.com)

I removed ffmpeg from my ./run.sh for now, maybe we should make that permanent

I removed ffmpeg from my ./run.sh for now, maybe we should make that permanent
mikedilger commented 2023-10-03 14:29:30 +13:00 (Migrated from github.com)

As long as your OS gets updated to libwebp 1.3.2 it should be fine.

As long as your OS gets updated to libwebp 1.3.2 it should be fine.
bu5hm4nn commented 2023-10-04 11:41:47 +13:00 (Migrated from github.com)

Oh ok, yeah, just did brew upgrade and it did update webp from 1.3.0 to 1.3.2

Oh ok, yeah, just did `brew upgrade` and it did update webp from 1.3.0 to 1.3.2
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
nostr/gossip#518
No description provided.