Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

"Only the hypocrite is really rotten to the core." -- Hannah Arendt.

computers / alt.os.linux.mageia / libwebp security hole and Mageia

SubjectAuthor
* libwebp security hole and MageiaWilliam Unruh
+* Re: libwebp security hole and MageiaTJ
|`- Re: libwebp security hole and MageiaWilliam Unruh
`- Re: libwebp security hole and MageiaWilliam Unruh

1
libwebp security hole and Mageia

<ugk6e1$2ehlk$1@dont-email.me>

  copy mid

https://www.rocksolidbbs.com/computers/article-flat.php?id=5841&group=alt.os.linux.mageia#5841

  copy link   Newsgroups: alt.os.linux.mageia
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: unruh@invalid.ca (William Unruh)
Newsgroups: alt.os.linux.mageia
Subject: libwebp security hole and Mageia
Date: Mon, 16 Oct 2023 20:28:49 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 13
Message-ID: <ugk6e1$2ehlk$1@dont-email.me>
Injection-Date: Mon, 16 Oct 2023 20:28:49 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="9826155219d3286a1baf9e1c376eb19d";
logging-data="2574004"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/BqQ5KY1qHDUxkpN+8omkE"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:fD70Bv3IjNoaNUSJgzPLliXu09A=
 by: William Unruh - Mon, 16 Oct 2023 20:28 UTC

At my university, we have just gotten a panicy email about a libwebp
wide ranging vulnerability, Unfortunatly although long on dire warnings,
it was short on facts. It seemed to say that that there could be many
programs (in addition to Chrome) vulnerable (including all browsers, not just chrome)
, and seemed to imply that many
programs had compiled libwebp into the program.
Mageian has a /lib64/libwebp libraries which date back to Sept 26 2023,
and there seems to be an alert dated Oct 3
(https://lwn.net/Articles/946306/) which seems to impy that Mageia had
fixed this bug. But the week difference between libwebp files and the
advisory makes me wonder if it has been fixed in Mageia already.

Any insight and advice would be helpful.

Re: libwebp security hole and Mageia

<ugkffe$2gip2$1@dont-email.me>

  copy mid

https://www.rocksolidbbs.com/computers/article-flat.php?id=5842&group=alt.os.linux.mageia#5842

  copy link   Newsgroups: alt.os.linux.mageia
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: TJ@noneofyour.business (TJ)
Newsgroups: alt.os.linux.mageia
Subject: Re: libwebp security hole and Mageia
Date: Mon, 16 Oct 2023 19:03:09 -0400
Organization: A noiseless patient Spider
Lines: 23
Message-ID: <ugkffe$2gip2$1@dont-email.me>
References: <ugk6e1$2ehlk$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Mon, 16 Oct 2023 23:03:10 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="4c70a73a58117dbc0ca77cdfe652e6f9";
logging-data="2640674"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19HBcs5qvopCTQqlwWbd7kASEYDw66QFd0="
User-Agent: Mozilla Thunderbird
Cancel-Lock: sha1:cWpJMrSflxSJvWM+sBGkHWyu7LI=
Content-Language: en-US
In-Reply-To: <ugk6e1$2ehlk$1@dont-email.me>
 by: TJ - Mon, 16 Oct 2023 23:03 UTC

On 2023-10-16 16:28, William Unruh wrote:
> At my university, we have just gotten a panicy email about a libwebp
> wide ranging vulnerability, Unfortunatly although long on dire warnings,
> it was short on facts. It seemed to say that that there could be many
> programs (in addition to Chrome) vulnerable (including all browsers, not just chrome)
> , and seemed to imply that many
> programs had compiled libwebp into the program.
> Mageian has a /lib64/libwebp libraries which date back to Sept 26 2023,
> and there seems to be an alert dated Oct 3
> (https://lwn.net/Articles/946306/) which seems to impy that Mageia had
> fixed this bug. But the week difference between libwebp files and the
> advisory makes me wonder if it has been fixed in Mageia already.
>
> Any insight and advice would be helpful.

https://www.cpomagazine.com/cyber-security/documented-libwebp-security-vulnerability-looks-to-be-part-of-pegasus-blastpass-attack-chain/
identifies the vulnerability as CVE-2023-4863.

Searching Mageia's Bugzilla,
https://bugs.mageia.org/show_bug.cgi?id=32280 shows that this was fixed
in both Mageia 8 and Mageia 9, and the update was pushed on October 3.

TJ

Re: libwebp security hole and Mageia

<ugkt2k$2n3m1$1@dont-email.me>

  copy mid

https://www.rocksolidbbs.com/computers/article-flat.php?id=5843&group=alt.os.linux.mageia#5843

  copy link   Newsgroups: alt.os.linux.mageia
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: unruh@invalid.ca (William Unruh)
Newsgroups: alt.os.linux.mageia
Subject: Re: libwebp security hole and Mageia
Date: Tue, 17 Oct 2023 02:55:16 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 30
Message-ID: <ugkt2k$2n3m1$1@dont-email.me>
References: <ugk6e1$2ehlk$1@dont-email.me> <ugkffe$2gip2$1@dont-email.me>
Injection-Date: Tue, 17 Oct 2023 02:55:16 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="ed89fad10df0892b1ec27cf0b6eb29ac";
logging-data="2854593"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19xSyEgpuYgfhzlAAoU6uFs"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:N/Llk2hleceaE4EvjGWBaE+1TVk=
 by: William Unruh - Tue, 17 Oct 2023 02:55 UTC

On 2023-10-16, TJ <TJ@noneofyour.business> wrote:
> On 2023-10-16 16:28, William Unruh wrote:
>> At my university, we have just gotten a panicy email about a libwebp
>> wide ranging vulnerability, Unfortunatly although long on dire warnings,
>> it was short on facts. It seemed to say that that there could be many
>> programs (in addition to Chrome) vulnerable (including all browsers, not just chrome)
>> , and seemed to imply that many
>> programs had compiled libwebp into the program.
>> Mageian has a /lib64/libwebp libraries which date back to Sept 26 2023,
>> and there seems to be an alert dated Oct 3
>> (https://lwn.net/Articles/946306/) which seems to impy that Mageia had
>> fixed this bug. But the week difference between libwebp files and the
>> advisory makes me wonder if it has been fixed in Mageia already.
>>
>> Any insight and advice would be helpful.
>
> https://www.cpomagazine.com/cyber-security/documented-libwebp-security-vulnerability-looks-to-be-part-of-pegasus-blastpass-attack-chain/
> identifies the vulnerability as CVE-2023-4863.
>
> Searching Mageia's Bugzilla,
> https://bugs.mageia.org/show_bug.cgi?id=32280 shows that this was fixed
> in both Mageia 8 and Mageia 9, and the update was pushed on October 3.

But the latest lipwebp packages have a date of Sep 26, not Oct 3. I
guess this could mean that they were compiled on Sep 26 but then,
brcause of testing, the package was only put out (without recompilation)
on Oct 3.

>
> TJ

Re: libwebp security hole and Mageia

<ugphr2$3s1gb$1@dont-email.me>

  copy mid

https://www.rocksolidbbs.com/computers/article-flat.php?id=5844&group=alt.os.linux.mageia#5844

  copy link   Newsgroups: alt.os.linux.mageia
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: unruh@invalid.ca (William Unruh)
Newsgroups: alt.os.linux.mageia
Subject: Re: libwebp security hole and Mageia
Date: Wed, 18 Oct 2023 21:14:10 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 38
Message-ID: <ugphr2$3s1gb$1@dont-email.me>
References: <ugk6e1$2ehlk$1@dont-email.me>
<op.2cxfyda7a3w0dxdave@hodgins.homeip.net>
Injection-Date: Wed, 18 Oct 2023 21:14:10 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="d8779815f2ca37834d8dee0b9e911db2";
logging-data="4064779"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+wOhJM29iHj+8YiCT4l68Q"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:n7eIfcarjoJC5NWPtmHx5kMt6n8=
 by: William Unruh - Wed, 18 Oct 2023 21:14 UTC

On 2023-10-16, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:
> On Mon, 16 Oct 2023 16:28:49 -0400, William Unruh <unruh@invalid.ca> wrote:
>
>> At my university, we have just gotten a panicy email about a libwebp
>> wide ranging vulnerability, Unfortunatly although long on dire warnings,
>> it was short on facts. It seemed to say that that there could be many
>> programs (in addition to Chrome) vulnerable (including all browsers, not just chrome)
>> , and seemed to imply that many
>> programs had compiled libwebp into the program.
>> Mageian has a /lib64/libwebp libraries which date back to Sept 26 2023,
>> and there seems to be an alert dated Oct 3
>> (https://lwn.net/Articles/946306/) which seems to impy that Mageia had
>> fixed this bug. But the week difference between libwebp files and the
>> advisory makes me wonder if it has been fixed in Mageia already.
>>
>> Any insight and advice would be helpful.
>
> Mageia does not bundle libwebp in the various browsers or other packages, so it
> only has the one package for the system that had to be fixed, instead of having
> to fix every program that processes content from the web.
>
> Mageia makes proper usage of libification. Flatpak and other things like rust's
> cargo system that bundle a copy of a working version of every library used by
> a program require much more work for security updates. Instead of updating one
> package, dozens of packages have to be updated. Such systems are a security
> nightmare. There are exceptions where some libraries are bundled, but only a
> few, and libwebp is not used by any of those.
>
> While proper usage of libification is much better from a security point of view,
> it's also the main reason that Mageia uses a stable release model instead of a
> rolling release model. With a rolling release, the problem is similar to using
> bundled libraries. Much more work involved in every library package update.
>
> Regards, Dave Hodgins

I note that there is also a 32 bit version for libwebp, which is dated
Sep 6, not Sept 26. Does it also contain the latest fix for this
security flaw?

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor