libwebp related vulnerability #518
Labels
No labels
Blocked
Bug
Documentation
Duplicate
Enhancement
Good first issue
Help wanted
Idea
In progress
Invalid
Major feature set
Packaging
Question
Soon
UI/UX
Upstream
You're dreamin'
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
nostr/gossip#518
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
GOSSIP USERS: SECURITY ALERT
There is an UNPATCHED vulnerability in libwebp that allows a malicious image to infect your computer. This affects gossip, as well as countless other programs.
Normally we wouldn't announce an active vulnerability until it is patched and there is a solution, but this news is already widespread.
Please go to your settings and uncheck "Render all media inline automatically". Only click to view media from people you trust.
We are working towards a better understanding of this, and a fix.
Please coorespond with nostr:npub1acg6thl5psv62405rljzkj8spesceyfz2c32udakc2ak0dmvfeyse9p35c as this account is only used for announcements and is not watched.
Related security alerts:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
More info
https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-imageio-webp-zero-days
https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/
UPDATE: Images are ok. Images are rendered via a rust library that does not have this vulnerability. It is videos that could be suspect.
If your build of gossip does not include the 'video-ffmpeg' feature, then it doesn't use the libwebp library. You can check by running 'ldd' on the binary. Here is ldd run against a gossip binary that has not enabled that feature:
myr gossip] ldd target/debug/gossip
linux-vdso.so.1 (0x00007ffefcd15000)
libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007f7e98ddb000)
libm.so.6 => /usr/lib/libm.so.6 (0x00007f7e98cee000)
libc.so.6 => /usr/lib/libc.so.6 (0x00007f7e93200000)
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007f7e98e39000)
If instead you see something like this:
libwebp.so.7 => /usr/lib/libwebp.so.7 (0x00007efefa52c000)
then your client may be vulnerable.
I could use help understanding this vulnerability.
It is strange that the webm project hasn't got any commits recently fixing this: https://github.com/webmproject/libwebp/commits/main
... that maybe the bug isn't actually in libwebp, but is in the way libwebp was being used by everybody.
Since this is a bug in an OS provided dynamically linked library, and not in gossip, this issue is resolved.
I removed ffmpeg from my ./run.sh for now, maybe we should make that permanent
As long as your OS gets updated to libwebp 1.3.2 it should be fine.
Oh ok, yeah, just did
brew upgradeand it did update webp from 1.3.0 to 1.3.2