About the use of system libraries and CVE-2023-4863

[L29Ah]

libwebp remote code execution vulnerability is exploited in the wild, distros ship updated libwebp, every browser can utilize it, but not palemoon that elected to bundle an old version and doesn't care enough to issue a security release.

[Moonchild]

Wow, immediately jumping to a conclusion that "we don't care enough"? For something that was published.... yesterday? XD Are you for real?

[Pentium4User]

I think we should discuss that topic on a objective level.
Are there currently real vulnerabilities that can be used in real situations in PM when using the older version shipped with PM?

[q160765803]

Mozilla also doesn't use the most up-to-date libwebp, they backported that fix instead.
See also: viewtopic.php?f=5&t=30285

[Moonchild]

I'm working on a fix in our tree. Backporting is straightforward.

For the record: Mozilla also uses in-tree libwebp. They pushed a patch for it 30 hours ago to update their in-tree libwebp.
Despite me having many years of collaboration with MozSec, I am NOT given access to bugs of immediate vulnerabilities and am only granted access after Firefox releases upon request. The relevant sec bug for this issue in bugzilla is "access denied" for me just like anyone else, and I am not notified of bugs like these.

As such, OP's attitude and accusation is totally disingenuous and uncalled for. Being unaware of a 0day patch does not equal "not caring" and feels just like another dead horse beating of "you should use system libs"...

Are there currently real vulnerabilities that can be used in real situations in PM when using the older version shipped with PM?

Unknown, since I don't have access to bug discussion, proof-of-concepts and similar. We only have OP's word it's "exploited in the wild". If a specially crafted webp can cause a crash on an out-of-bounds address access then it's possible to craft an exploit, but certainly not trivial.

[Moonchild]

Filed Issue #2309 (UXP)

[L29Ah]

Wow, immediately jumping to a conclusion that "we don't care enough"? For something that was published.... yesterday? XD Are you for real?

If you cared, https://www.palemoon.org/redist.shtml wouldn't prohibit adjusting/unbundling libs for security fixes.

[L29Ah]

Unknown, since I don't have access to bug discussion, proof-of-concepts and similar. We only have OP's word it's "exploited in the wild". If a specially crafted webp can cause a crash on an out-of-bounds address access then it's possible to craft an exploit, but certainly not trivial.

That's Google's words, not mine; i'm sure if a vulnerability affects Chromium, it will also affect PM that shares the same vulnerable code.

[Moonchild]

If you cared

if you cared, you would have read and understood the sticky I referred to as to why you can't put the Pale Moon label on that.

i'm sure if a vulnerability affects Chromium, it will also affect PM that shares the same vulnerable code.

Then you don't seem to understand how a vulnerability in an application due to a libs' code doesn't automatically and equally affect a different application using the same lib in a different way. So i wouldn't be so sure about that.

[Basilisk-Dev]

Sometimes I find it truly difficult to determine if posts like these are being serious or if they are just trolls who fell for the "old and insecure" FUD. The argumentative tone and insults make it really difficult to take the OP seriously, and any reasonable person would know that type of arrogant attitude is likely to get them nothing other than a banhammer.

L29Ah, if you had simply came in and said "Hey guys, there is this WebP security vulnerability that I think you should know about. Have you reconsidered your use of system libraries in light of this security vulnerability?'" then it would have lead to a much more constructive discussion.

[moonbat]

constructive discussion

Like you said about trolls, this is assuming they wanted one in the first place.

[jobbautista9]

OP is a Gentoo user, what did you expect. Other than OpenRC, Gentoo users don't really do anything constructive IMHO.

[Basilisk-Dev]

OP is a Gentoo user, what did you expect. Other than OpenRC, Gentoo users don't really do anything constructive IMHO.

Off-topic:
I wouldn't necessarily say someone's choice of operating system determines if someone does anything constructive. Gentoo is a fine piece of software, as are all distributions that don't use .deb packages.

[smithy]

If you search the OP’s username, he’s quite active on GitHub

https://github.com/l29ah

A ‘FOSS activist’
Hmmmm…

[Moonchild]

Either way, an update has been released which addresses this issue.
(AVX builds will still need to be updated by Nuck-TH)

[suzyne]

I feel cared for because of the speedy fix, thank you!

[4td8s]

Sometimes I find it truly difficult to determine if posts like these are being serious or if they are just trolls who fell for the "old and insecure" FUD. The argumentative tone and insults make it really difficult to take the OP seriously, and any reasonable person would know that type of arrogant attitude is likely to get them nothing other than a banhammer.

L29Ah, if you had simply came in and said "Hey guys, there is this WebP security vulnerability that I think you should know about. Have you reconsidered your use of system libraries in light of this security vulnerability?'" then it would have lead to a much more constructive discussion.

well said.

I will only say this about L29Ah the OP - what goes around comes around, I'll leave it at that.

plus the fix for Palemoon was released fairly quickly

[L29Ah]

Fix for CVE-2023-5217 when?

[Moonchild]

Fix for CVE-2023-5217 when?

It's DiD for Pale Moon (which you could have known if you'd read ANY of the recent threads dealing with this), exactly underlining my previous point of varying code usage of libs. So it'll be in the next point release and not going to stress with an out of band.

Off-topic:
Also, the minimal-effort entitled demand construct "{item X} when?" is extremely disrespectful to any software dev. I've seen it used (mostly in live stream chats) a lot lately and you really need to not use it.

[L29Ah]

Fix for CVE-2023-5217 when?

It's DiD for Pale Moon (which you could have known if you'd read ANY of the recent threads dealing with this), exactly underlining my previous point of varying code usage of libs. So it'll be in the next point release and not going to stress with an out of band.

Off-topic:
Also, the minimal-effort entitled demand construct "{item X} when?" is extremely disrespectful to any software dev. I've seen it used (mostly in live stream chats) a lot lately and you really need to not use it.

I've glanced over it. Thanks for the clarification and sorry for the noise.