CVE-2023-5217 (libvpx heap buffer overflow) tracking

[xyzeva]

CVE-2023-5217 is a heap buffer overflow in libvpx's VP8 encoder, as many things such as electron and more are being tracked in this issue, so we can fix them in nixpkgs.

This vulnerability is yet to be rated, but we can assume (as its a heap buffer overflow), that it might be a big deal.

Current status

We currently have patched the libvpx package with #257941, vendored dependencies are tracked below.

How to help

• Review/merge any nixpkgs PR that you see pending in the task list below.
• If you have an idea of how to fix/address the vulnerability in any of the packages listed in the task list below, don't hesitate to post a comment here and send pull requests! Feel free to cc me on PRs so I can make sure they're tracked and they don't get lost.

Task list

• [X] libvpx is updated in master #257941
  • [X] libvpx is updated in release-23.05 #257960
• [x] electron needs to be updated to 26.2.4 #258146
  • [x] backport fix to electron_25 (update to 25.8.4) #258146
  • [x] backport fix to electron_24 (update to 24.8.5) #258146
  • [x] backport fix to electron_22 (update to 22.3.25) #258146

• [ ] Vendoring

  • [ ] High risk stuff (mail clients, IM clients, web browsers)
    • [X] signal-desktop needs to be updated to 6.32 #258129 (backport #258229)
    • [X] signal-desktop-beta needs to be updated to 6.32
    • [x] rocketchat-desktop #259038
    • [x] armcord https://github.com/NixOS/nixpkgs/pull/258217
    • [ ] indigenous-desktop (homepage URL leads to 404, appears to be a chat app)
    • [ ] mattermost-desktop
    • [ ] threema-desktop
    • [ ] thedesk
    • [x] gitter https://github.com/NixOS/nixpkgs/pull/255784 https://github.com/NixOS/nixpkgs/pull/255786
    • [ ] aether (upstream hasnt had a commit since 2021, TODO mark/remove?) #258556
    • [x] caprine-bin https://github.com/NixOS/nixpkgs/pull/260561
    • [ ] wire-desktop
    • [ ] keybase-gui
    • [x] mailspring https://github.com/NixOS/nixpkgs/pull/258217
    • [X] brave needs to be updated to 1.58.135 #258060 #258675
    • [X] tor-browser #258116 (backport #258137)
    • [X] microsoft-edge #258155
    • [X] mullvad-browser #258135 (backport #258138)
  • [ ] Other stuff
    • [x] octant-desktop #258061 (now archived removed
      • [x] mark known vulnerable on 23.05 https://github.com/NixOS/nixpkgs/pull/258448
    • [ ] figma-linux
    • [ ] insomnia
    • [x] freeswitch #259881
    • [x] losselesscut-bin
    • [ ] popcorntime
    • [x] snapmaker-luban #259111
    • [ ] keeweb
    • [x] zotero https://github.com/NixOS/nixpkgs/pull/262808
    • [ ] polar-bookshelf (homepage link broken)
    • [x] join-desktop #259067
    • [x] passky-desktop #207730
    • [ ] isabelle
    • [ ] onlyoffice
    • [ ] jellyseer #259076
    • [ ] yesplaymusic
    • [x] atom https://github.com/NixOS/nixpkgs/pull/258440
    • [x] pulsar #262376
    • [x] simplenote (no upstream commits since 2021, TODO mark/remove?) #259889
    • [x] joplin-desktop https://github.com/NixOS/nixpkgs/pull/258286
      • [ ] missing backport to release-23.05
    • [ ] cypress (upstream has had a fix but hasn't version bumped yet)
    • [ ] premid
    • [ ] tidal-hifi
    • [x] #314629
    • [ ] Jetbrains applications
      • [ ] mps
      • [x] pycharm-community https://github.com/NixOS/nixpkgs/pull/262418
      • [x] idea-community https://github.com/NixOS/nixpkgs/pull/260965
  • [ ] Libraries
    • [x] qtwebengine
    • [ ] libtoxcore
    • [ ] termcolor
    • [ ] nwjs https://github.com/NixOS/nixpkgs/pull/262424
    • [ ] jetbrains-jdk-jcef
    • [X] libcef
    • [x] python310Packages.get-video-properties #257947

  This task list may or may not be complete, if you think we are missing something, please feel free to cc me! Here is the scan ran by @delroth for vulnerable dependencices

[xyzeva]

@Kiwi: simplenote, binary provenance, package seems obsolete

[xyzeva]

@maxhille: aether, binary provenance, package seems obsolete

[xyzeva]

@06kellyjac: octant-desktop, binary provenance, upstream is archived

[xyzeva]

@noneucat: polar-bookshelf, binary provenance, package seems obsolete

[xyzeva]

@WolfangAukang: indigenous-desktop, binary provenance, package seems obsolete

[xyzeva]

@Mic92, @equirosa, @urandom2: signal-desktop, binary provenance, update available, priority is high

[xyzeva]

@Mic92, @equirosa, @urandom2: signal-desktop-beta, binary provenance, update available, priority is high

[equirosa]

On September 29, 2023 9:08:28 AM CST, Eva @.***> wrote:

@Mic92, @equirosa, @urandom2: signal-desktop, binary provenance, update available, priority is high

On it! :)

[WolfangAukang]

@WolfangAukang: indigenous-desktop, binary provenance, package seems obsolete

Not obsolete, they changed the repo name. I can build it from source, but the problem is that it does not work with an Electron version superior to 19.

[WolfangAukang]

Regarding threema-desktop (I'm the maintainer), there was a similar issue (https://github.com/NixOS/nixpkgs/issues/254798) that asked to remove lib/threema/threema-web, but as this package is using the bundled electron, it wasn't necessary to keep tracking.

Still I have this PR open that removes that component https://github.com/NixOS/nixpkgs/pull/255899

[MikaelFangel]

Brave is being updated in this PR #258060

[WolfangAukang]

Regarding thedesk (I'm the maintainer), this is a similar case as threema-desktop: application is using bundled electron version but the package contains the binary from the deb file.

PR: https://github.com/NixOS/nixpkgs/pull/258075

[xyzeva]

@travisbhartwell, @manveru, @prusnak: could we get electron fixes underway?

[mweinelt]

@WolfangAukang: indigenous-desktop, binary provenance, package seems obsolete

Not obsolete, they changed the repo name. I can build it from source, but the problem is that it does not work with an Electron version superior to 19.

Then it should be marked knownVulnerable, because they use an end-of-life and vulnerable electron version. Please make that happen if you are opposed to removing it.

[WolfangAukang]

@WolfangAukang: indigenous-desktop, binary provenance, package seems obsolete

Not obsolete, they changed the repo name. I can build it from source, but the problem is that it does not work with an Electron version superior to 19.

Then it should be marked knownVulnerable, because they use an end-of-life and vulnerable electron version. Please make that happen if you are opposed to removing it.

You mean knownVulnerabilities? Not able to find any examples with knownVulnerable.

[xyzeva]

New logs starting up by @delroth, should be more usable for reading seashell link

[felschr]

• https://github.com/NixOS/nixpkgs/pull/258116
• https://github.com/NixOS/nixpkgs/pull/258137
• https://github.com/NixOS/nixpkgs/pull/258135
• https://github.com/NixOS/nixpkgs/pull/258138

[rhysmdnz]

• https://github.com/NixOS/nixpkgs/pull/258155

[vcunat]

In addition to the VP8 CVE above, there's now a VP9 CVE https://github.com/NixOS/nixpkgs/pull/258295 so maybe updating everything will need to be redone again?

[xyzeva]

In addition to the VP8 CVE above, there's now a VP9 CVE #258295 so maybe updating everything will need to be redone again?

We are talking about what to do with the new CVE on the matrix room, we are going to use the same tracking issue, probably

[MikaelFangel]

Maybe the solution for mailspring and armcord should be the same as this #258217, but it should be noted that there is some effort to update the electron version of mailspring, though.

[SuperSandro2000]

We should take this opportunity to drop atom. https://atom.io redirects to https://github.blog/2022-06-08-sunsetting-atom/ which explicitly states No more security updates and the repo is archived since last November.

258440

[MikaelFangel]

As for gitter then it has been removed by #255784 as part of the another CVE.

[buckley310]

Looks like Brave didn't get auto-backported properly. I can do a PR in the next day or two unless someone feels like grabbing it sooner.

[xyzeva]

One mass-ping for everyone:

mattermost-desktop: @jokogr caprine-bin: @ShamrockLee wire-desktop: @arianvp, @Kiwi, @toonn keybase-gui: @Avaq, @rvolosatovs, @puffnfresh, @np, @Br1ght0ne, @kf5grd figma-linux: @ercao, @kashw2 insomnia: @markus1189, @babariviere, @kashw2 freeswitch: drop, no maintainers (cc @mweinelt) popcorntime: @onny snapmaker-luban: @simonkampe keeweb: @sikmir zotero: @i077 polar-bookshelf: @noneucat join-desktop: @SuperSandro2000 passky-desktop: @akkesm isabelle: @jwiegley, @jvanbruegge onlyoffice: @nh2, @GTrunSec jellyseer: @camillemndn yesplaymusic: @LostAttractor obs-studio: @jb55, @MP2E, @deviant, @materusPL pulsar: @COLAMAroro simplenote: @Kiwi cypress: @thorstenweber83, @mmahut, @Craftzman7 premid: @natto1784 tidal-hifi: @qbit, @spikespaz radicle-upstream: @d-xo jetbrains.mps: @rasendubi jetbrains.pycharm-community: @GenericNerdyUsername, @tymscar jetbrains.idea-community: @edwtjo, @gytis-ivaskevicius, @steinybot, @AnatolyPopov, @tymscar qtwebengine: @milahu, @NickCao

[xyzeva]

libtoxcore: @peterhoeg, @ehmry termcolor: @prusnak libaom: @primeos, @kiloreux, @dali99 nwjs: @offlinehacker jetbrains.jdk: @edwtjo

thats all! please update/drop your packages maintainers!

[COLAMAroro]

A fair warning concerning Pulsar

I didn't get the time to do it yet, but I will probably soon drop my maintainer status of Pulsar (due to lack of time, and some personal reasons). I gave every piece of documentation I could upstream so that someone else there can take over.

Beyond that, I doubt there will be an update to a newer Electron in the near future (because backporting the Atom codebase to a newer electron is a pain). "Fortunately", I think there is a low risk for this CVE on Pulsar. It's not as widespread as Atom once was, printing arbitrary HTML isn't quite straightforward, and probably will require a plugin, which can already run arbitrary JavaScript.

Pinging @mauricioszabo who has been leading this Electron version bump. If comes a patch for this CVE and nobody can take the maintainership, I'll see if I can find some time to update for nixpkgs.

[SuperSandro2000]

dropping join-desktop in #259067

[mauricioszabo]

@COLAMAroro I am glad to say that you're wrong about the update to a newer Electron :).

Currently, I am using - even professionally - Pulsar under Electron 25 (can't bump to Electron 26 because it crashes on my Linux machine). In fact, it's been working so well that we're about to start a "next-gen" or maybe "beta" channel for it, so people that want to check if their packages run in this new version of Pulsar can actually try it.

[dali99]

As far as I can tell (and I have asked for clarification in the security room - but not yet received an answer), libaom does not vendor libvpx.

It is however a google media codec, and has inherited big parts of libvpx. I've tried finding similar code as what's been patched, but haven't found anything

EDIT: confirmed as false positive

[deviant]

Is there any place to see why individual packages were flagged? All of the seashell links are broken, presumably expired. I'm a maintainer for obs-studio, and can't find them vendoring libvpx— rather it's used via libavcodec, from ffmpeg, which pulls in libvpx from Nixpkgs.

[delroth]

IIRC obs-studio vendors a libcef.so which vendors libvpx.

[deviant]

@delroth Thanks for the pointer! It's actually vendoring files from Nixpkgs' libcef [pname is "cef-binary"] package, which should probably be on the list instead.

[delroth]

@delroth Thanks for the pointer! It's actually vendoring files from Nixpkgs' libcef [pname is "cef-binary"] package, which should probably be on the list instead.

Yeah, I'm not sure why it's not on the list, the automated tooling should have detected it too. I'll let @xyzeva double check this.

OTOH if this is really just vendored without any modifications it should probably be symlinked instead. Not only would that help us with security tracking in cases like this, but it's a 300MB binary duplicated for (likely?) no good reason.

[deviant]

Yeah, I'm not sure why it's not on the list,

I've just checked and the libcef package is already recent enough to be based on a version of Chromium that isn't vulnerable. So it's not actually an issue— meaning obs-studio should be safe. This issue was created prior to libcef being updated, so it wasn't a false-positive, just no longer valid.

OTOH if this is really just vendored without any modifications it should probably be symlinked instead. Not only would that help us with security tracking in cases like this, but it's a 300MB binary duplicated for (likely?) no good reason.

Good idea! I'm not sure why exactly, appears to be a copy+paste job. I'll create an issue for it.

[xyzeva]

I just updated everything according to the replies & new open PRs, thanks everyone for collaborating and fixing up my mistakes 😅

[MikaelFangel]

Freeswitch has implemented a fix for the CVE here: signalwire/freeswitch/pull/2259, but haven't version bumped yet.

[jvanbruegge]

I am not entirely sure, but isabelle might be fixed with the new version: https://github.com/NixOS/nixpkgs/pull/243497

[OPNA2608]

Pale Moon's UXP / XUL bundles libvpx and upstream says they were affected, https://github.com/NixOS/nixpkgs/pull/259204 bumps palemoon-bin to a fixed version.

[ShamrockLee]

I created an issue at the upstream project of caprine-bin (sindresorhus/caprine#2081).

[i077]

Zotero 6 is not affected by this according to the dev mailing list.

[vcunat]

I'm a bit doubtful. The list above was created by some scanning of the binary, right? I thought zotero was based on Firefox/XUL, and default XUL binary does bundle libvpx inside.

[i077]

I think it is based on XUL, but I think the version of Firefox that comes from is very old. In the JS console in version 6.0.26, Services.appinfo.platformVersion evaluates to "60.9.0", but running the same in the browser console of the most recent release of Firefox evaluates to "118.0.1". Firefox 60.9.0 was released in September 2019. I don't know exactly how the scan was done, as the link to the scan results in the OP is broken.

I can contact their security email or post in the forums about this, but I'm not really sure what the best course of action here is in the meantime. There is Zotero 7 in beta, which patched this vulnerability in a recent build.

[NickCao]

qtwebengine uses system libvpx thus should not be affected.

[MikaelFangel]

I have applied a patch for the CVE in freeswitch in this pr: #259881

[MikaelFangel]

Suggesting to remove simplenote in: #259889

[MikaelFangel]

I looked at mattermost-desktop, and it doesn't use the shipped Electron version, rather it uses the Electron_26 from nixpkgs. Thus, if I haven't missed anything, it should be resolved, right?

See the line here. 😃

[MikaelFangel]

Also should mullvad-vpn not be on the list? It was also found by the vendoring checker https://clbin.com/haJzA. It has an upstream release bundling a new Electron version.

And the pr updating it can be found here #260407

[maxhille]

@xyzeva aether is now removed from master by https://github.com/NixOS/nixpkgs/pull/258556

[qbit]

For tidal-hifi there is a push to get it building from source: https://github.com/NixOS/nixpkgs/pull/252307 - I am not versed enough to be able to help.. maybe someone else can?