CVE-2023-5217 (libvpx heap buffer overflow) tracking

[xyzeva]

CVE-2023-5217 is a heap buffer overflow in libvpx's VP8 encoder, as many things such as electron and more are being tracked in this issue, so we can fix them in nixpkgs.

This vulnerability is yet to be rated, but we can assume (as its a heap buffer overflow), that it might be a big deal.

Current status

We currently have patched the libvpx package with #257941, vendored dependencies are tracked below.

How to help

• Review/merge any nixpkgs PR that you see pending in the task list below.
• If you have an idea of how to fix/address the vulnerability in any of the packages listed in the task list below, don't hesitate to post a comment here and send pull requests! Feel free to cc me on PRs so I can make sure they're tracked and they don't get lost.

Task list

• libvpx is updated in master libvpx: Fix heap buffer overflow in vp8 encoder #257941
  • libvpx is updated in release-23.05 [Backport release-23.05] libvpx: Fix heap buffer overflow in vp8 encoder #257960
• electron needs to be updated to 26.2.4 electron-bin 22/24/25/26 version bumps for CVE-2023-5217 #258146
  • backport fix to electron_25 (update to 25.8.4) electron-bin 22/24/25/26 version bumps for CVE-2023-5217 #258146
  • backport fix to electron_24 (update to 24.8.5) electron-bin 22/24/25/26 version bumps for CVE-2023-5217 #258146
  • backport fix to electron_22 (update to 22.3.25) electron-bin 22/24/25/26 version bumps for CVE-2023-5217 #258146
• Vendoring
  • High risk stuff (mail clients, IM clients, web browsers)
    • signal-desktop needs to be updated to 6.32 signal-desktop: 6.31.0 -> 6.32.0, 6.32.0-beta.1 -> 6.33.0-beta.1 #258129 (backport [Backport release-23.05] signal-desktop: 6.30.2 -> 6.32.0, 6.32.0-beta.1 -> 6.33.0-beta.1 #258229)
      • signal-desktop-beta needs to be updated to 6.32
    • rocketchat-desktop rocketchat-desktop: 3.9.8 -> 3.9.9 #259038
    • armcord armcord,mailspring: mark as insecure (CVE-2023-4863) #258217
    • indigenous-desktop (homepage URL leads to 404, appears to be a chat app)
    • mattermost-desktop
    • threema-desktop
    • thedesk
    • gitter
      gitter: remove (unmaintained upstream, probably useless now) #255784
      [release-23.05] gitter: mark vulnerable to CVE-2023-4863 #255786
    • aether (upstream hasnt had a commit since 2021, TODO mark/remove?) aether: remove #258556
    • caprine-bin caprine-bin: 2.58.3 -> 2.59.1 #260561
    • wire-desktop
    • keybase-gui
    • mailspring armcord,mailspring: mark as insecure (CVE-2023-4863) #258217
    • brave needs to be updated to 1.58.135 brave: 1.58.129 -> 1.58.135 #258060 [Backport release-23.05] brave: 1.58.129 -> 1.58.135 #258675
    • tor-browser tor-browser: 12.5.5 -> 12.5.6 #258116 (backport [Backport release-23.05] tor-browser: 12.5.5 -> 12.5.6 #258137)
    • microsoft-edge microsoft-edge: 117.0.2045.40 -> 117.0.2045.47 #258155
    • mullvad-browser mullvad-browser: 12.5.5 -> 12.5.6 #258135 (backport [Backport release-23.05] mullvad-browser: 12.5.5 -> 12.5.6 #258138)
  • Other stuff
    • octant-desktop octant{,-desktop},starboard-octant-plugin: drop #258061 (now archived removed
      • mark known vulnerable on 23.05 octant{,-desktop}: mark as insecure (CVE-2023-5217) #258448
    • figma-linux
    • insomnia
    • freeswitch freeswitch: patch CVE-2023-5217 and CVE-2023-44488 #259881
    • losselesscut-bin
    • popcorntime
    • snapmaker-luban snapmaker-luban: 4.8.0 -> 4.9.1 #259111
    • keeweb
    • zotero zotero: mark as insecure (CVE-2023-5217) #262808
    • polar-bookshelf (homepage link broken)
    • join-desktop join-desktop: drop #259067
    • passky-desktop passky-desktop: 7.1.0 -> 8.1.1 #207730
    • isabelle
    • onlyoffice
    • jellyseer jellyseerr: 1.4.1 -> 1.7.0 #259076
    • yesplaymusic
    • atom atom*: drop #258440
    • pulsar pulsar: mark vulnerable to multiple CVE's #262376
    • simplenote (no upstream commits since 2021, TODO mark/remove?) simplenote: drop #259889
    • joplin-desktop joplin-desktop: 2.12.16 -> 2.12.18 #258286
      • missing backport to release-23.05
    • cypress (upstream has had a fix but hasn't version bumped yet)
    • premid
    • tidal-hifi
    • radicle-upstream #314629
    • Jetbrains applications
      • mps
      • pycharm-community jetbrains: 2023.2.2 -> 2023.2.3 #262418
      • idea-community jetbrains: 2023.2 EAP -> 2023.3 EAP #260965
  • Libraries
    • qtwebengine
    • libtoxcore
    • termcolor
    • nwjs nwjs: 0.54.1 -> 0.82.0 #262424
    • jetbrains-jdk-jcef
    • libcef
    • python310Packages.get-video-properties python310Packages.get-video-properties: remove vulnerable binaries #257947

This task list may or may not be complete, if you think we are missing something, please feel free to cc me! Here is the scan ran by @delroth for vulnerable dependencices

[xyzeva]

@Kiwi: simplenote, binary provenance, package seems obsolete

[xyzeva]

@maxhille: aether, binary provenance, package seems obsolete

[xyzeva]

@06kellyjac: octant-desktop, binary provenance, upstream is archived

[xyzeva]

@noneucat: polar-bookshelf, binary provenance, package seems obsolete

[xyzeva]

@WolfangAukang: indigenous-desktop, binary provenance, package seems obsolete

[xyzeva]

@Mic92, @equirosa, @urandom2: signal-desktop, binary provenance, update available, priority is high

[xyzeva]

@Mic92, @equirosa, @urandom2: signal-desktop-beta, binary provenance, update available, priority is high

[equirosa]

On September 29, 2023 9:08:28 AM CST, Eva ***@***.***> wrote: @Mic92, @equirosa, @urandom2: signal-desktop, binary provenance, update available, priority is high

On it! :)

[WolfangAukang]

@WolfangAukang: indigenous-desktop, binary provenance, package seems obsolete

Not obsolete, they changed the repo name. I can build it from source, but the problem is that it does not work with an Electron version superior to 19.

[WolfangAukang]

Regarding threema-desktop (I'm the maintainer), there was a similar issue (#254798) that asked to remove lib/threema/threema-web, but as this package is using the bundled electron, it wasn't necessary to keep tracking.

Still I have this PR open that removes that component #255899

[MikaelFangel]

Brave is being updated in this PR #258060

[WolfangAukang]

Regarding thedesk (I'm the maintainer), this is a similar case as threema-desktop: application is using bundled electron version but the package contains the binary from the deb file.

PR: #258075

[xyzeva]

@travisbhartwell, @manveru, @prusnak: could we get electron fixes underway?

[mweinelt]

@WolfangAukang: indigenous-desktop, binary provenance, package seems obsolete

Not obsolete, they changed the repo name. I can build it from source, but the problem is that it does not work with an Electron version superior to 19.

Then it should be marked knownVulnerable, because they use an end-of-life and vulnerable electron version. Please make that happen if you are opposed to removing it.

[WolfangAukang]

@WolfangAukang: indigenous-desktop, binary provenance, package seems obsolete

Not obsolete, they changed the repo name. I can build it from source, but the problem is that it does not work with an Electron version superior to 19.

Then it should be marked knownVulnerable, because they use an end-of-life and vulnerable electron version. Please make that happen if you are opposed to removing it.

You mean knownVulnerabilities? Not able to find any examples with knownVulnerable.

[xyzeva]

New logs starting up by @delroth, should be more usable for reading seashell link

[felschr]

• tor-browser: 12.5.5 -> 12.5.6 #258116
• [Backport release-23.05] tor-browser: 12.5.5 -> 12.5.6 #258137
• mullvad-browser: 12.5.5 -> 12.5.6 #258135
• [Backport release-23.05] mullvad-browser: 12.5.5 -> 12.5.6 #258138

[rhysmdnz]

• microsoft-edge: 117.0.2045.40 -> 117.0.2045.47 #258155

[vcunat]

In addition to the VP8 CVE above, there's now a VP9 CVE #258295 so maybe updating everything will need to be redone again?

[xyzeva]

In addition to the VP8 CVE above, there's now a VP9 CVE #258295 so maybe updating everything will need to be redone again?

We are talking about what to do with the new CVE on the matrix room, we are going to use the same tracking issue, probably

[i077]

I think it is based on XUL, but I think the version of Firefox that comes from is very old. In the JS console in version 6.0.26, Services.appinfo.platformVersion evaluates to "60.9.0", but running the same in the browser console of the most recent release of Firefox evaluates to "118.0.1". Firefox 60.9.0 was released in September 2019. I don't know exactly how the scan was done, as the link to the scan results in the OP is broken.

I can contact their security email or post in the forums about this, but I'm not really sure what the best course of action here is in the meantime. There is Zotero 7 in beta, which patched this vulnerability in a recent build.

[NickCao]

qtwebengine uses system libvpx thus should not be affected.

[MikaelFangel]

I have applied a patch for the CVE in freeswitch in this pr: #259881

[MikaelFangel]

Suggesting to remove simplenote in: #259889

[MikaelFangel]

I looked at mattermost-desktop, and it doesn't use the shipped Electron version, rather it uses the Electron_26 from nixpkgs. Thus, if I haven't missed anything, it should be resolved, right?

See the line here. 😃

[MikaelFangel]

Also should mullvad-vpn not be on the list? It was also found by the vendoring checker https://clbin.com/haJzA. It has an upstream release bundling a new Electron version.

And the pr updating it can be found here #260407

[maxhille]

@xyzeva aether is now removed from master by #258556

[qbit]

For tidal-hifi there is a push to get it building from source: #252307 - I am not versed enough to be able to help.. maybe someone else can?

[MikaelFangel]

Mark figma-linux as vulnerable to this CVE in #261404 until fix is available.

Maintainer will update on next release see: Figma-Linux/figma-linux#341 (comment)

[MikaelFangel]

I suggest marking pulsar, as vulnerable in #262376 because it uses a very outdated version of electron and doesn't seem to plan to bundle a new version anytime soon.

[MikaelFangel]

Update pycharm here: #262418

And idea was updated by this pr: #260965

[MikaelFangel]

Have opened a draft pr fixing nwjs #262424, but I still need to do some more testing to ensure nothing breaks.

Edit
Corrected the pr, so it points to the pr...

[i077]

The current stable version of Zotero, based on Firefox 60 as discussed earlier here, is not going to get patched from what I can tell, so #262808 marks it as vulnerable until Zotero 7 hits GA.

[Inkbottle007]

The current stable version of Zotero, based on Firefox 60 as discussed earlier here, is not going to get patched from what I can tell, so #262808 marks it as vulnerable until Zotero 7 hits GA.

Hi, as much as I would love to see Zotero 7 come to GA, it seems Zotero 6 has been patched: "Changes in 6.0.30 (November 2, 2023), [Security] Disabled libvpx support (CVE-2023-5217)" (https://www.zotero.org/support/changelog).

[camillemndn]

The current stable version of Zotero, based on Firefox 60 as discussed earlier here, is not going to get patched from what I can tell, so #262808 marks it as vulnerable until Zotero 7 hits GA.

Hi, as much as I would love to see Zotero 7 come to GA, it seems Zotero 6 has been patched: "Changes in 6.0.30 (November 2, 2023), [Security] Disabled libvpx support (CVE-2023-5217)" (https://www.zotero.org/support/changelog).

Hi, for those interested, I managed to package Zotero 7 built from source in https://github.com/camillemndn/nixos-config/tree/main/pkgs/applications/office/zotero, but I could not upstream it since it is based on Firefox 102 which is already deprecated...

[shlevy]

Opened #266033 to update Zotero 6

[Inkbottle007]

Hi, for those interested, I managed to package Zotero 7 built from source in https://github.com/camillemndn/nixos-config/tree/main/pkgs/applications/office/zotero, but I could not upstream it since it is based on Firefox 102 which is already deprecated...

Good job building Zotero 7 from source. Zotero seems like a Heath Robinson machine and the only way to distribute is is through its prebuilt which is what the Zotero 6 nixos package is doing I understand. I don't know why they need to vendor Firefox but that's another story.