StarlingX

CVE-2018-25011 / CVE-2020-36328 / CVE-2020-36329: libwebp multiple CVEs

Bug #1954722 reported by Ghada Khalil
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Joe Slater

Bug Description

CVE-2018-25011: libwebp: heap-based buffer overflow in PutLE16()
CVE-2020-36328: libwebp: heap-based buffer overflow in WebPDecode*Into functions
CVE-2020-36329: libwebp: use-after-free in EmitFancyRGB() in dec/io_dec.c

Score:
cve_id status cvss2Score av ac au ai
CVE-2018-25011 fixed 7.5 N L N P
CVE-2020-36328 fixed 7.5 N L N P
CVE-2020-36329 fixed 7.5 N L N P

Description:
CVE-2018-25011: A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow was found in PutLE16(). The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVE-2020-36328: A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVE-2020-36329: A flaw was found in libwebp in versions before 1.0.1. A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

References:
https://nvd.nist.gov/vuln/detail/CVE-2018-25011
https://nvd.nist.gov/vuln/detail/CVE-2020-36328
https://nvd.nist.gov/vuln/detail/CVE-2020-36329
https://access.redhat.com/errata/RHSA-2021:2260
http://mirror.centos.org/centos/7/updates/x86_64/Packages/libwebp-0.3.0-10.el7_9.x86_64.rpm

Required Package Versions:
libwebp-0.3.0-10.el7_9.x86_64.rpm

Packages:
libwebp

Found during December 2021 CVE Scan

See original description
Revision history for this message
Ghada Khalil (gkhalil) wrote (last edit ):

Screening: Marking as medium priority as this CVE meets the StarlingX fix criteria. Should be fixed in stx master and cherrypicked to the r/stx.6.0 release branch at some point. However, we will not hold up the stx.6.0 release on this as CVEs can be reported at any time.

information type: Public → Public Security
tags: added: stx.6.0 stx.7.0 stx.security
Changed in starlingx:
importance: Undecided → High
status: New → Triaged
assignee: nobody → Yue Tao (wrytao)
Ghada Khalil (gkhalil)
description: updated
Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: Yue Tao (wrytao) → Joe Slater (jslater0wind)
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: High → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/822759

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/822759
Committed: https://opendev.org/starlingx/tools/commit/ea942842dd153fc11c9da7112c444a181c8f97f0
Submitter: "Zuul (22348)"
Branch: master

commit ea942842dd153fc11c9da7112c444a181c8f97f0
Author: Joe Slater <email address hidden>
Date: Wed Dec 22 13:02:54 2021 -0500

    libwebp: fix CVE-2018-25011, CVE-2020-36328, CVE-2020-36329

    CVE-2018-25011: libwebp: heap-based buffer overflow
    CVE-2020-36328: libwebp: heap-based buffer overflow
    CVE-2020-36329: libwebp: use-after-free

    Testing

    build-pkgs; build-iso (unused); create designer patch
    install patch
    run sanity test (PASS)
    remove patch
    run sanity test (PASS)

    ---sanity test ---
    #!/bin/python
    from PIL import Image
    im = Image.open("/usr/share/backgrounds/day.jpg")
    # create webp format file
    im.save("day.webp")
    ---

    Closes-Bug: 1954722
    Signed-off-by: Joe Slater <email address hidden>
    Change-Id: I22ac6bd3b8399c6b16729201a0a4e05e631b5575

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
Ghada Khalil (gkhalil) wrote :

@Joe Slater, please cherrypick this CVE fix to the r/stx.6.0 branch

tags: added: stx.cherrypickneeded
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (r/stx.6.0)

Fix proposed to branch: r/stx.6.0
Review: https://review.opendev.org/c/starlingx/tools/+/823450

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (r/stx.6.0)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/823450
Committed: https://opendev.org/starlingx/tools/commit/d4217c205cd89474d7ce0dcf530616c9c81f0765
Submitter: "Zuul (22348)"
Branch: r/stx.6.0

commit d4217c205cd89474d7ce0dcf530616c9c81f0765
Author: Joe Slater <email address hidden>
Date: Wed Dec 22 13:02:54 2021 -0500

    libwebp: fix CVE-2018-25011, CVE-2020-36328, CVE-2020-36329

    CVE-2018-25011: libwebp: heap-based buffer overflow
    CVE-2020-36328: libwebp: heap-based buffer overflow
    CVE-2020-36329: libwebp: use-after-free

    Testing

    build-pkgs; build-iso (unused); create designer patch
    install patch
    run sanity test (PASS)
    remove patch
    run sanity test (PASS)

    ---sanity test ---
    #!/bin/python
    from PIL import Image
    im = Image.open("/usr/share/backgrounds/day.jpg")
    # create webp format file
    im.save("day.webp")
    ---

    Closes-Bug: 1954722
    Signed-off-by: Joe Slater <email address hidden>
    Change-Id: I22ac6bd3b8399c6b16729201a0a4e05e631b5575
    (cherry picked from commit ea942842dd153fc11c9da7112c444a181c8f97f0)

Ghada Khalil (gkhalil)
tags: added: in-r-stx60
tags: removed: stx.cherrypickneeded
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.