About the use of system libraries and CVE-2023-4863
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
-
- Newbie
- Posts: 5
- Joined: 2023-09-12, 23:22
About the use of system libraries and CVE-2023-4863
libwebp remote code execution vulnerability is exploited in the wild, distros ship updated libwebp, every browser can utilize it, but not palemoon that elected to bundle an old version and doesn't care enough to issue a security release.
-
- Pale Moon guru
- Posts: 35650
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: About the use of system libraries and CVE-2023-4863
Wow, immediately jumping to a conclusion that "we don't care enough"? For something that was published.... yesterday? XD Are you for real?
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Board Warrior
- Posts: 1138
- Joined: 2019-04-24, 09:38
Re: About the use of system libraries and CVE-2023-4863
I think we should discuss that topic on a objective level.
Are there currently real vulnerabilities that can be used in real situations in PM when using the older version shipped with PM?
Are there currently real vulnerabilities that can be used in real situations in PM when using the older version shipped with PM?
The profile picture shows my Maico EC30 E ceiling fan.
-
- Apollo supporter
- Posts: 35
- Joined: 2023-04-13, 07:57
Re: About the use of system libraries and CVE-2023-4863
Mozilla also doesn't use the most up-to-date libwebp, they backported that fix instead.
See also: viewtopic.php?f=5&t=30285
See also: viewtopic.php?f=5&t=30285
-
- Pale Moon guru
- Posts: 35650
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: About the use of system libraries and CVE-2023-4863
I'm working on a fix in our tree. Backporting is straightforward.
For the record: Mozilla also uses in-tree libwebp. They pushed a patch for it 30 hours ago to update their in-tree libwebp.
Despite me having many years of collaboration with MozSec, I am NOT given access to bugs of immediate vulnerabilities and am only granted access after Firefox releases upon request. The relevant sec bug for this issue in bugzilla is "access denied" for me just like anyone else, and I am not notified of bugs like these.
As such, OP's attitude and accusation is totally disingenuous and uncalled for. Being unaware of a 0day patch does not equal "not caring" and feels just like another dead horse beating of "you should use system libs"...
For the record: Mozilla also uses in-tree libwebp. They pushed a patch for it 30 hours ago to update their in-tree libwebp.
Despite me having many years of collaboration with MozSec, I am NOT given access to bugs of immediate vulnerabilities and am only granted access after Firefox releases upon request. The relevant sec bug for this issue in bugzilla is "access denied" for me just like anyone else, and I am not notified of bugs like these.
As such, OP's attitude and accusation is totally disingenuous and uncalled for. Being unaware of a 0day patch does not equal "not caring" and feels just like another dead horse beating of "you should use system libs"...
Unknown, since I don't have access to bug discussion, proof-of-concepts and similar. We only have OP's word it's "exploited in the wild". If a specially crafted webp can cause a crash on an out-of-bounds address access then it's possible to craft an exploit, but certainly not trivial.Pentium4User wrote: ↑2023-09-13, 07:29Are there currently real vulnerabilities that can be used in real situations in PM when using the older version shipped with PM?
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Pale Moon guru
- Posts: 35650
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: About the use of system libraries and CVE-2023-4863
Filed Issue #2309 (UXP)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Newbie
- Posts: 5
- Joined: 2023-09-12, 23:22
Re: About the use of system libraries and CVE-2023-4863
If you cared, https://www.palemoon.org/redist.shtml wouldn't prohibit adjusting/unbundling libs for security fixes.
-
- Newbie
- Posts: 5
- Joined: 2023-09-12, 23:22
Re: About the use of system libraries and CVE-2023-4863
That's Google's words, not mine; i'm sure if a vulnerability affects Chromium, it will also affect PM that shares the same vulnerable code.Moonchild wrote: ↑2023-09-13, 08:08Unknown, since I don't have access to bug discussion, proof-of-concepts and similar. We only have OP's word it's "exploited in the wild". If a specially crafted webp can cause a crash on an out-of-bounds address access then it's possible to craft an exploit, but certainly not trivial.
-
- Pale Moon guru
- Posts: 35650
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: About the use of system libraries and CVE-2023-4863
if you cared, you would have read and understood the sticky I referred to as to why you can't put the Pale Moon label on that.
Then you don't seem to understand how a vulnerability in an application due to a libs' code doesn't automatically and equally affect a different application using the same lib in a different way. So i wouldn't be so sure about that.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Lunatic
- Posts: 323
- Joined: 2022-03-23, 16:41
- Location: Chamber of Secrets
Re: About the use of system libraries and CVE-2023-4863
Sometimes I find it truly difficult to determine if posts like these are being serious or if they are just trolls who fell for the "old and insecure" FUD. The argumentative tone and insults make it really difficult to take the OP seriously, and any reasonable person would know that type of arrogant attitude is likely to get them nothing other than a banhammer.
L29Ah, if you had simply came in and said "Hey guys, there is this WebP security vulnerability that I think you should know about. Have you reconsidered your use of system libraries in light of this security vulnerability?'" then it would have lead to a much more constructive discussion.
L29Ah, if you had simply came in and said "Hey guys, there is this WebP security vulnerability that I think you should know about. Have you reconsidered your use of system libraries in light of this security vulnerability?'" then it would have lead to a much more constructive discussion.
-
- Knows the dark side
- Posts: 4984
- Joined: 2015-12-09, 15:45
Re: About the use of system libraries and CVE-2023-4863
Like you said about trolls, this is assuming they wanted one in the first place.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
-
- Keeps coming back
- Posts: 786
- Joined: 2020-11-03, 06:47
- Location: Philippines
Re: About the use of system libraries and CVE-2023-4863
OP is a Gentoo user, what did you expect. Other than OpenRC, Gentoo users don't really do anything constructive IMHO.
merry mimas
XUL add-ons developer. You can find a list of add-ons I manage at http://rw.rs/~job/software.html.
Mima avatar by 絵虎. Pixiv post: https://www.pixiv.net/en/artworks/15431817
-
- Lunatic
- Posts: 323
- Joined: 2022-03-23, 16:41
- Location: Chamber of Secrets
Re: About the use of system libraries and CVE-2023-4863
jobbautista9 wrote: ↑2023-09-14, 06:45OP is a Gentoo user, what did you expect. Other than OpenRC, Gentoo users don't really do anything constructive IMHO.
Off-topic:
I wouldn't necessarily say someone's choice of operating system determines if someone does anything constructive. Gentoo is a fine piece of software, as are all distributions that don't use .deb packages.
I wouldn't necessarily say someone's choice of operating system determines if someone does anything constructive. Gentoo is a fine piece of software, as are all distributions that don't use .deb packages.
-
- Moon lover
- Posts: 77
- Joined: 2020-07-02, 11:44
Re: About the use of system libraries and CVE-2023-4863
If you search the OP’s username, he’s quite active on GitHub
https://github.com/l29ah
A ‘FOSS activist’
Hmmmm…
https://github.com/l29ah
A ‘FOSS activist’
Hmmmm…
It is common to think of our own time as standing at the apex of civilisation from which the deficiencies of preceding ages may patronisingly be viewed in the light of what is assumed to be progress. The reality is that in the long perspective of history the present century will not hold an enviable position unless the second half is to redeem its first.
Chief US prosecutor Robert Jackson's closing statement - Nurenburg 1946
Chief US prosecutor Robert Jackson's closing statement - Nurenburg 1946
-
- Pale Moon guru
- Posts: 35650
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: About the use of system libraries and CVE-2023-4863
Either way, an update has been released which addresses this issue.
(AVX builds will still need to be updated by Nuck-TH)
(AVX builds will still need to be updated by Nuck-TH)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Lunatic
- Posts: 364
- Joined: 2023-06-28, 22:43
- Location: Australia
Re: About the use of system libraries and CVE-2023-4863
I feel cared for because of the speedy fix, thank you!
Laptop 1: Windows 10 64-bit, i7 @ 2.80GHz, 16GB, NVIDIA GeForce MX450.
Laptop 2: Windows 10 32-bit, Atom Z3735F @ 1.33GHz, 2GB, Intel HD Graphics.
Laptop 2: Windows 10 32-bit, Atom Z3735F @ 1.33GHz, 2GB, Intel HD Graphics.
-
- Moonbather
- Posts: 71
- Joined: 2018-08-18, 23:54
Re: About the use of system libraries and CVE-2023-4863
well said.Basilisk-Dev wrote: ↑2023-09-14, 01:58Sometimes I find it truly difficult to determine if posts like these are being serious or if they are just trolls who fell for the "old and insecure" FUD. The argumentative tone and insults make it really difficult to take the OP seriously, and any reasonable person would know that type of arrogant attitude is likely to get them nothing other than a banhammer.
L29Ah, if you had simply came in and said "Hey guys, there is this WebP security vulnerability that I think you should know about. Have you reconsidered your use of system libraries in light of this security vulnerability?'" then it would have lead to a much more constructive discussion.
I will only say this about L29Ah the OP - what goes around comes around, I'll leave it at that.
plus the fix for Palemoon was released fairly quickly
-
- Newbie
- Posts: 5
- Joined: 2023-09-12, 23:22
Re: About the use of system libraries and CVE-2023-4863
Fix for CVE-2023-5217 when?
-
- Pale Moon guru
- Posts: 35650
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: About the use of system libraries and CVE-2023-4863
It's DiD for Pale Moon (which you could have known if you'd read ANY of the recent threads dealing with this), exactly underlining my previous point of varying code usage of libs. So it'll be in the next point release and not going to stress with an out of band.
Off-topic:
Also, the minimal-effort entitled demand construct "{item X} when?" is extremely disrespectful to any software dev. I've seen it used (mostly in live stream chats) a lot lately and you really need to not use it.
Also, the minimal-effort entitled demand construct "{item X} when?" is extremely disrespectful to any software dev. I've seen it used (mostly in live stream chats) a lot lately and you really need to not use it.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Newbie
- Posts: 5
- Joined: 2023-09-12, 23:22
Re: About the use of system libraries and CVE-2023-4863
I've glanced over it. Thanks for the clarification and sorry for the noise.Moonchild wrote: ↑2023-09-30, 12:28It's DiD for Pale Moon (which you could have known if you'd read ANY of the recent threads dealing with this), exactly underlining my previous point of varying code usage of libs. So it'll be in the next point release and not going to stress with an out of band.
Off-topic:
Also, the minimal-effort entitled demand construct "{item X} when?" is extremely disrespectful to any software dev. I've seen it used (mostly in live stream chats) a lot lately and you really need to not use it.