CVE-2023-5217 (libvpx heap buffer overflow) tracking

[xyzeva]

CVE-2023-5217 is a heap buffer overflow in libvpx's VP8 encoder, as many things such as electron and more are being tracked in this issue, so we can fix them in nixpkgs.

This vulnerability is yet to be rated, but we can assume (as its a heap buffer overflow), that it might be a big deal.

Current status

We currently have patched the libvpx package with #257941, vendored dependencies are tracked below.

How to help

• Review/merge any nixpkgs PR that you see pending in the task list below.
• If you have an idea of how to fix/address the vulnerability in any of the packages listed in the task list below, don't hesitate to post a comment here and send pull requests! Feel free to cc me on PRs so I can make sure they're tracked and they don't get lost.

Task list

• [X] libvpx is updated in master #257941
  • [X] libvpx is updated in release-23.05 #257960
• [x] electron needs to be updated to 26.2.4 #258146
  • [x] backport fix to electron_25 (update to 25.8.4) #258146
  • [x] backport fix to electron_24 (update to 24.8.5) #258146
  • [x] backport fix to electron_22 (update to 22.3.25) #258146

• [ ] Vendoring

  • [ ] High risk stuff (mail clients, IM clients, web browsers)
    • [X] signal-desktop needs to be updated to 6.32 #258129 (backport #258229)
    • [X] signal-desktop-beta needs to be updated to 6.32
    • [x] rocketchat-desktop #259038
    • [x] armcord https://github.com/NixOS/nixpkgs/pull/258217
    • [ ] indigenous-desktop (homepage URL leads to 404, appears to be a chat app)
    • [ ] mattermost-desktop
    • [ ] threema-desktop
    • [ ] thedesk
    • [x] gitter https://github.com/NixOS/nixpkgs/pull/255784 https://github.com/NixOS/nixpkgs/pull/255786
    • [ ] aether (upstream hasnt had a commit since 2021, TODO mark/remove?) #258556
    • [x] caprine-bin https://github.com/NixOS/nixpkgs/pull/260561
    • [ ] wire-desktop
    • [ ] keybase-gui
    • [x] mailspring https://github.com/NixOS/nixpkgs/pull/258217
    • [X] brave needs to be updated to 1.58.135 #258060 #258675
    • [X] tor-browser #258116 (backport #258137)
    • [X] microsoft-edge #258155
    • [X] mullvad-browser #258135 (backport #258138)
  • [ ] Other stuff
    • [x] octant-desktop #258061 (now archived removed
      • [x] mark known vulnerable on 23.05 https://github.com/NixOS/nixpkgs/pull/258448
    • [ ] figma-linux
    • [ ] insomnia
    • [x] freeswitch #259881
    • [x] losselesscut-bin
    • [ ] popcorntime
    • [x] snapmaker-luban #259111
    • [ ] keeweb
    • [x] zotero https://github.com/NixOS/nixpkgs/pull/262808
    • [ ] polar-bookshelf (homepage link broken)
    • [x] join-desktop #259067
    • [x] passky-desktop #207730
    • [ ] isabelle
    • [ ] onlyoffice
    • [ ] jellyseer #259076
    • [ ] yesplaymusic
    • [x] atom https://github.com/NixOS/nixpkgs/pull/258440
    • [x] pulsar #262376
    • [x] simplenote (no upstream commits since 2021, TODO mark/remove?) #259889
    • [x] joplin-desktop https://github.com/NixOS/nixpkgs/pull/258286
      • [ ] missing backport to release-23.05
    • [ ] cypress (upstream has had a fix but hasn't version bumped yet)
    • [ ] premid
    • [ ] tidal-hifi
    • [x] #314629
    • [ ] Jetbrains applications
      • [ ] mps
      • [x] pycharm-community https://github.com/NixOS/nixpkgs/pull/262418
      • [x] idea-community https://github.com/NixOS/nixpkgs/pull/260965
  • [ ] Libraries
    • [x] qtwebengine
    • [ ] libtoxcore
    • [ ] termcolor
    • [ ] nwjs https://github.com/NixOS/nixpkgs/pull/262424
    • [ ] jetbrains-jdk-jcef
    • [X] libcef
    • [x] python310Packages.get-video-properties #257947

  This task list may or may not be complete, if you think we are missing something, please feel free to cc me! Here is the scan ran by @delroth for vulnerable dependencices

[MikaelFangel]

Mark figma-linux as vulnerable to this CVE in #261404 until fix is available.

Maintainer will update on next release see: https://github.com/Figma-Linux/figma-linux/issues/341#issuecomment-1764332718

[MikaelFangel]

I suggest marking pulsar, as vulnerable in #262376 because it uses a very outdated version of electron and doesn't seem to plan to bundle a new version anytime soon.

[MikaelFangel]

Update pycharm here: #262418

And idea was updated by this pr: #260965

[MikaelFangel]

Have opened a draft pr fixing nwjs #262424, but I still need to do some more testing to ensure nothing breaks.

Edit Corrected the pr, so it points to the pr...

[i077]

The current stable version of Zotero, based on Firefox 60 as discussed earlier here, is not going to get patched from what I can tell, so #262808 marks it as vulnerable until Zotero 7 hits GA.

[Inkbottle007]

The current stable version of Zotero, based on Firefox 60 as discussed earlier here, is not going to get patched from what I can tell, so #262808 marks it as vulnerable until Zotero 7 hits GA.

Hi, as much as I would love to see Zotero 7 come to GA, it seems Zotero 6 has been patched: "Changes in 6.0.30 (November 2, 2023), [Security] Disabled libvpx support (CVE-2023-5217)" (https://www.zotero.org/support/changelog).

[camillemndn]

The current stable version of Zotero, based on Firefox 60 as discussed earlier here, is not going to get patched from what I can tell, so #262808 marks it as vulnerable until Zotero 7 hits GA.

Hi, as much as I would love to see Zotero 7 come to GA, it seems Zotero 6 has been patched: "Changes in 6.0.30 (November 2, 2023), [Security] Disabled libvpx support (CVE-2023-5217)" (https://www.zotero.org/support/changelog).

Hi, for those interested, I managed to package Zotero 7 built from source in https://github.com/camillemndn/nixos-config/tree/main/pkgs/applications/office/zotero, but I could not upstream it since it is based on Firefox 102 which is already deprecated...

[shlevy]

Opened https://github.com/NixOS/nixpkgs/pull/266033 to update Zotero 6

[Inkbottle007]

Hi, for those interested, I managed to package Zotero 7 built from source in https://github.com/camillemndn/nixos-config/tree/main/pkgs/applications/office/zotero, but I could not upstream it since it is based on Firefox 102 which is already deprecated...

Good job building Zotero 7 from source. Zotero seems like a Heath Robinson machine and the only way to distribute is is through its prebuilt which is what the Zotero 6 nixos package is doing I understand. I don't know why they need to vendor Firefox but that's another story.