Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 28 Sep 2023 17:49:08 +0200
From: Emilio Pozuelo Monfort <pochu27@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2023-4863: libwebp: Heap buffer overflow in
 WebP Codec

On 28/09/2023 14:36, Jeffrey Walton wrote:
> On Tue, Sep 26, 2023 at 11:37 AM Solar Designer <solar@...nwall.com> wrote:
>>
>> It was great to hear from Vincent that the newer libwebp changes are
>> just "Clean-ups, no security issues there."  Yet I think it would also
>> be great if someone in here double-checks that.
>>
>> Regarding the assert failure detected by oss-fuzz, "A release build
>> would not be negatively affected."  libwebp does specify -DNDEBUG by
>> default in:
>>
>> $ fgrep -rl DNDEBUG .
>> ./Makefile.vc
>> ./xcframeworkbuild.sh
>> ./iosbuild.sh
>> ./configure.ac
>> ./makefile.unix
>>
>> and there's also cmake support, but apparently cmake sets -DNDEBUG for
>> release builds by default.  So at least this statement does appear to be
>> true for libwebp itself as built via the above means.
>>
>> However, there's also Gradle support, and the gradle* files do not
>> mention NDEBUG.
>>
>> Also, I wonder if there are other projects building code from libwebp
>> via different build environments.
>>
>> So there might be (a small minority of) uses of libwebp where the assert
>> exists in a release build of some project.
> 
> Crypto++ caught a CVE because use of -DNDEBUG was not documented. The
> library's build system used -DNDEBUG (like libwebp), but folks who
> ported to other build systems did not use it. In my mind's eye, others
> who did not use the -DNDEBUG flag should have caught a CVE, not
> Crypto++. Also see CVE-2016-7420 and
> <http://seclists.org/oss-sec/2016/q3/520>.
> 
> Crypto++ eventually took away the footgun by supplying its own
> CRYPTOPP_ASSERT that required a user to supply a switch to engage
> asserts. Asserts were no longer enabled by default when someone
> omitted -DNDEBUG. Also see
> <https://github.com/weidai11/cryptopp/blob/master/trap.h>.
> 
> I've never seen a CVE for documentation before or since.

Here's a recent one:

https://www.cve.org/CVERecord?id=CVE-2023-0466

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908

Cheers,
Emilio

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.