Vulnerability in libwebp dependency, please upgrade sharp to 0.32.6 (CVE-2023-4863)

Question

Vulnerability in libwebp dependency, please upgrade sharp to 0.32.6 (CVE-2023-4863)

lovell opened this issue a year ago · 11 comments

Overview

sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity CVE-2023-4863, which in turn is linked to CVE-2023-41064

You've probably noticed a lot of operating system and app updates during the last week, including iOS, Chrome, WhatsApp etc. and many of these updates relate to this same problem.

Who does this affect?

Almost anyone processing untrusted input with sharp.

How to resolve this?

Using prebuilt binaries provided by sharp?

Most people rely on the prebuilt binaries provided by sharp.

Please upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2.

Using a globally-installed libvips?

Please ensure you are using the latest libwebp 1.3.2.

Possible workaround

Add the following to your code to prevent sharp from decoding WebP images.

sharp.block({ operation: ["VipsForeignLoadWebp"] });

Answer 1 · 2023-09-17T17:19:11.000Z

To be able to use sharp.block in TypeScript the Declaration of sharp needs to be extended, like this:

// tsconfig.json
{
    "compilerOptions": {
       // ...
        "typeRoots": ["./node_modules/@types", "./src/typings"],
    }
}

// src/typings/sharp-extensions.d.ts

import "sharp";

declare module "sharp" {
    export function block(options: { operation: string[] }): void;
}

Answer 2 · 2023-09-17T18:12:08.000Z

It looks like the fix is already there https://chromium.googlesource.com/webm/libwebp/+/refs/tags/v1.3.2

Answer 3 · 2023-09-17T19:14:04.000Z

@ldrick Happy to accept a PR adding this definition to https://github.com/lovell/sharp/blob/main/lib/index.d.ts if you're able.

Answer 4 · 2023-09-18T08:03:24.000Z

@ldrick Happy to accept a PR adding this definition to https://github.com/lovell/sharp/blob/main/lib/index.d.ts if you're able.

Thank you @lovell , hope #3799 fulfils your expectations.

Answer 5 · 2023-09-18T20:05:58.000Z

sharp 0.32.6 is now available and provides libwebp 1.3.2. Please upgrade, especially if you process untrusted input.

Answer 6 · 2023-10-25T03:21:59.000Z

Hi, @lovell

There is no mention of this in the 0.32.6 changelog, is it possible to add it?

Answer 7 · 2023-10-25T08:37:00.000Z

@yisibl The changelog includes changes to sharp and the minimum supported version of libvips for those who prefer not to use prebuilt binaries.

The versions of all dependencies provided in the prebuilt binaries are made available via sharp.versions.

I cannot list every change in every dependency every time, but I will open an issue on sharp and promote on social media if I'm aware of something that I think would make upgrading worthwhile, as is the case here.

Answer 8 · 2023-11-14T02:01:06.000Z

@lovell Would it be possible to list this within https://github.com/lovell/sharp/security and/or flag the vulnerable builds so that users of npm audit get notified of this situation?

Answer 9 · 2023-11-14T09:25:08.000Z

@natevw This vulnerability isn't in sharp itself, and isn't in anything published to npm either, but is rather in the binaries that sharp will probably download from the sharp-libvips GitHub Releases. It's yet another reason for the importance of #3750 as by publishing everything to the npm registry we can flag specific npm packages as vulnerable.

Perhaps this would be better listed as part of GHSA-j7hp-h8jx-5ppr itself, which is backed by the data in https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-j7hp-h8jx-5ppr/GHSA-j7hp-h8jx-5ppr.json as that should result in npm audit flagging up versions of sharp that may download vulnerable binaries at install time.

Answer 10 · 2023-11-14T19:13:27.000Z

This vulnerability isn't in sharp itself, and isn't in anything published to npm either, but is rather in the binaries that sharp will probably download from the sharp-libvips GitHub Releases.

As a user of this package, that seems a rather meaningless distinction? The vulnerability is that I have some older install of e.g. "sharp": "^0.32.2" locked in, and the mitigation would be to depend on "sharp": "^0.32.6" instead.

This is exactly the sort of thing npm audit could flag and fix — but instead I wasn't aware until I finally had a random "shower thought" months later 😦 connecting some of the things I had happened to have heard about in tech news and remembered to proactively come here looking for this announcement once I was at my laptop. And then, it wasn't even announced in the Security tab here, I initially found it by searching "webp" myself (although I do see it's at least a pinned issue)!

Most people don't visit the issues tab here on this repo as part of their morning routine. Until the new work lands to give the underlying dependencies their own packages (👍 and props for that), I would argue that the "buck stops here" and would encourage you to more proactively alert any other users of the vulnerability which older versions of this package cause, since some might still be unaware.

Answer 11 · 2023-11-16T13:50:10.000Z

I was hoping we could re-use the existing GHSA-j7hp-h8jx-5ppr advisory as I didn't want to generate a new CVE via the sharp repo and confuse things.

However it looks like it's now possible to create an advisory using an existing CVE, so please see GHSA-54xq-cgqr-rpm3