!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

725 Members
Coordination and triage of security issues in nixpkgs223 Servers

Load older messages

SenderMessageTime
12 Sep 2023
@raitobezarius:matrix.orgraitobezariuswe don't15:42:35
@raitobezarius:matrix.orgraitobezarius * (we don't)15:42:40
@raitobezarius:matrix.orgraitobezarius * (we don't have someone on the private list)15:42:45
@lily:lily.flowersLily Foster
In reply to @raitobezarius:matrix.org
(we don't have someone on the private list)
(I am talking about the private list, yes, for distro early notice under embargo, but I may have made up me thinking someone was on the list or I misunderstood. It's been a while now) 		15:44:46
@hexa:lossy.networkhexa side notes can go into #security-discuss:nixos.org 15:45:51
@janik0:matrix.org@janik0:matrix.org joined the room.15:47:19
@delroth:delroth.netdelroth

Just summarizing CVE-2023-4863 status (everything discussed above):

  • Critical vuln, exploited in the wild
  • Chrome/Chromium are up to date on master and release-23.05
  • libwebp and all its downstream users are strongly suspected (but no official confirmation) to also be vulnerable. #254775 is a possibly controversial fix targeted at staging-next.
  • electron might need special handling if libwebp is vulnerable and it vendors libwebp. The latter hasn't been checked/confirmed by anyone yet.
15:47:29
@delroth:delroth.netdelroth *

Just summarizing CVE-2023-4863 status (everything discussed above):

  • Critical vuln, exploited in the wild
  • Chrome/Chromium are up to date on master and release-23.05
  • libwebp and all its downstream users are strongly suspected (but no official confirmation) to also be vulnerable. #254775 is a possibly controversial fix targeted at staging-next.
  • electron might need special handling if libwebp is vulnerable and it vendors libwebp. The latter hasn't been checked/confirmed by anyone yet.
15:47:44
@delroth:delroth.netdelroth *

Just summarizing CVE-2023-4863 status (everything discussed above):

  • Critical vuln, exploited in the wild
  • Chrome/Chromium are up to date on master and release-23.05
  • libwebp and all its downstream users are strongly suspected (but no official confirmation) to also be vulnerable. #254775 is a possibly controversial fix targeted at staging-next.
  • electron might need special handling if libwebp is vulnerable and it vendors libwebp. The latter hasn't been checked/confirmed by anyone yet.
15:48:15
@delroth:delroth.netdelrothhttps://hg.mozilla.org/releases/mozilla-release/rev/e245ca2125a6eb1e2d08cc9e5824f15e1e67a566 seems to indicate that firefox at least think they're vulnerable15:51:28
@delroth:delroth.netdelrothwhich is more evidence towards "all libwebp downstream users are vulnerable"15:51:43
@delroth:delroth.netdelroth they seem to vendor libwebp though - that seems to go against what hexa was saying? or is it just using the vendored version as a fallback, and in nixpkgs we use our own libwebp? if they vendor we'll need to pick up their new release too 15:52:49
@hexa:lossy.networkhexayes, they vendor everything as a fallback15:53:12
@hexa:lossy.networkhexawe explicitly use system libs where possible15:53:34
@delroth:delroth.netdelrothat least their backport of the vuln fix matches mine, so if I backported wrong I'm not alone :P15:56:43
@delroth:delroth.netdelroth *

Just summarizing CVE-2023-4863 status (everything discussed above):

  • Critical vuln, exploited in the wild
  • Chrome/Chromium are up to date on master and release-23.05
  • libwebp and all its downstream users are strongly suspected (but no official confirmation) to also be vulnerable. #254775 is merged in staging-next.
  • electron might need special handling if libwebp is vulnerable and it vendors libwebp. The latter hasn't been checked/confirmed by anyone yet.
16:17:29
@hexa:lossy.networkhexahttps://www.mozilla.org/en-US/firefox/117.0.1/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/ (embargoed)16:20:26
@delroth:delroth.netdelrothlol, "Security fix" thanks Mozilla16:20:55
@delroth:delroth.netdelroth *

Just summarizing CVE-2023-4863 status (everything discussed above):

  • Critical vuln, exploited in the wild
  • Chrome/Chromium are up to date on master and release-23.05
  • libwebp and all its downstream users are strongly suspected (but no official confirmation) to also be vulnerable. #254775 is merged in staging-next, #254789 (not merged yet) is the backport to staging-23.05.
  • electron might need special handling if libwebp is vulnerable and it vendors libwebp. The latter hasn't been checked/confirmed by anyone yet.
16:22:54
@delroth:delroth.netdelroth *

Just summarizing CVE-2023-4863 status (everything discussed above):

  • Critical vuln, exploited in the wild
  • Chrome/Chromium are up to date on master and release-23.05
  • libwebp and all its downstream users are strongly suspected (but no official confirmation) to also be vulnerable. #254775 is merged in staging-next, #254789 (merged) is the backport to staging-23.05.
  • electron might need special handling if libwebp is vulnerable and it vendors libwebp. The latter hasn't been checked/confirmed by anyone yet.
17:38:51
@lily:lily.flowersLily Foster

By the way, Electron seems to have merged the chromium bump into 26-x-y branch and there are open backport PRs for the patches upstream (25-x-y, 24-x-y, 22-x-y). Hopefully they make new releases soon with those

Given we use their binary release instead of building from source at the moment (although there is an impressive nixpkgs PR open to change that soon), it almost certainly has the bundled libwebp from the chromium source the electron version was built against (and is therefore almost certainly using a vulnerable version)

18:00:21
@delroth:delroth.netdelroth *

Just summarizing CVE-2023-4863 status (everything discussed above):

  • Critical vuln, exploited in the wild
  • Chrome/Chromium are up to date on master and release-23.05
  • libwebp and all its downstream users are strongly suspected (but no official confirmation) to also be vulnerable. #254775 is merged in staging-next, #254789 (merged) is the backport to staging-23.05.
  • electron is likely also vulnerable. Upstream has started merging chromium version bumps to their 26.x, 25.x, 24.x and 22.x branches. No release yet. We'll need to pick up the new electron version updates when available.
18:10:43
@delroth:delroth.netdelrothnow tracking CVE-2023-4863 in https://github.com/NixOS/nixpkgs/issues/25479818:17:32
@delroth:delroth.netdelroth *

Just summarizing CVE-2023-4863 status (everything discussed above):

  • Critical vuln, exploited in the wild
  • Chrome/Chromium are up to date on master and release-23.05
  • libwebp and all its downstream users are strongly suspected (but no official confirmation) to also be vulnerable. #254775 is merged in staging-next, #254789 (merged) is the backport to staging-23.05.
  • electron is likely also vulnerable. Upstream has started merging chromium version bumps to their 26.x, 25.x, 24.x and 22.x branches. No release yet. We'll need to pick up the new electron version updates when available.

EDIT: now tracking in https://github.com/NixOS/nixpkgs/issues/254798

18:17:47
@ajcxz0:matrix.org@ajcxz0:matrix.org joined the room.19:06:59
13 Sep 2023
@xfix:matrix.org@xfix:matrix.org joined the room.06:02:30
@jushur:matrix.orgj_t_eklund joined the room.10:27:25
@yaya:uwu.isyaya

CVE-2023-38039

  • https://github.com/NixOS/nixpkgs/pull/254962
  • https://github.com/NixOS/nixpkgs/pull/254963
14:22:48
@jushur:matrix.orgj_t_eklund set a profile picture.21:36:21
14 Sep 2023
@goodboy:matrix.orglord_fomo
In reply to @hexa:lossy.network
https://www.mozilla.org/en-US/firefox/117.0.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/ (embargoed)
slightly confused, ff says it's patched in 117.0.1 		05:30:16

Show newer messages

Back to Room ListRoom Version: 6