port-libwebp/relevant_cves.json at main · safelibs/port-libwebp · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
{
  "schema_version": 1,
  "generated_at": "2026-04-06T07:06:45Z",
  "project": "libwebp",
  "source_file": "/home/yans/code/safelibs/ported/libwebp/all_cves.json",
  "selection_notes": [
    "Included only CVEs whose primary failure mode is not buffer/ownership memory corruption and whose bug class can still survive a Rust rewrite.",
    "Kept arithmetic-overflow and resource-exhaustion issues because Rust still needs checked image math, explicit allocation caps, and malformed-input rejection.",
    "Excluded published CVEs centered on out-of-bounds access, use-after-free, double-free, or uninitialized-memory use because idiomatic safe Rust should remove those classes unless unsafe code reintroduces them.",
    "Reserved historical references and keyword-only indirect mentions were reviewed but not counted as relevant direct libwebp CVEs."
  ],
  "summary": {
    "published_cves_reviewed": 15,
    "relevant_non_memory_corruption_cves": 2,
    "category_counts": {
      "checked_arithmetic": 1,
      "resource_exhaustion": 1
    },
    "excluded_published_memory_safety_cves": 13,
    "reserved_or_keyword_only_entries_not_selected": 2
  },
  "relevant_cves": [
    {
      "cve_id": "CVE-2016-9085",
      "relevant_to_rust_reimplementation": true,
      "memory_corruption": false,
      "category": "checked_arithmetic",
      "rust_relevance": "high",
      "weaknesses": [
        "CWE-190"
      ],
      "published": "2017-02-03T15:59:00.727",
      "severity": {
        "base_score": 3.3,
        "base_severity": "LOW",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
      },
      "affected_versions_note": "NVD associates the issue with libwebp through 0.5.2, while the local upstream NEWS file says version 0.5.2 'covers CVE-2016-9085'. Treat this as a 0.5.x-era arithmetic-hardening signal rather than a perfectly reliable semver cutoff.",
      "component_hints": [
        "0.5.2-era encoder and tool arithmetic hardening",
        "cwebp/libwebp image-size and bytes-per-pixel calculations",
        "AnimEncoder-related frame sizing"
      ],
      "issue": "Multiple integer overflows were fixed in the 0.5.2 security hardening wave, including a ChangeLog entry for overflow when width * height * 4 reaches 2^32.",
      "why_it_matters_for_rust": "Rust memory safety does not make image-dimension math correct. A port can still wrap in release builds, panic in checked builds, or mis-size buffers if it uses unchecked multiplication, addition, or integer casts.",
      "porting_actions": [
        "Centralize width, height, stride, pixel-count, and bytes-per-pixel math with checked_mul, checked_add, and explicit TryFrom conversions.",
        "Apply hard upper bounds before allocating ARGB or animation buffers and before multiplying by bytes per pixel.",
        "Add regression tests for extreme dimensions and frame-count combinations near 32-bit and platform-size limits."
      ],
      "repo_evidence": [
        "original/ChangeLog:1353 records commit e2affacc: 'fix potential overflow when width * height * 4 >= (1<<32)'.",
        "original/NEWS:157-160 says version 0.5.2 covers CVE-2016-9085 and lists hardening in gif2webp/AnimEncoder plus cwebp/libwebp."
      ],
      "detail_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9085"
    },
    {
      "cve_id": "CVE-2020-36332",
      "relevant_to_rust_reimplementation": true,
      "memory_corruption": false,
      "category": "resource_exhaustion",
      "rust_relevance": "high",
      "weaknesses": [
        "CWE-20",
        "CWE-400"
      ],
      "published": "2021-05-21T17:15:08.443",
      "severity": {
        "base_score": 7.5,
        "base_severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
      },
      "affected_versions_note": "The NVD and CNA descriptions say the issue affects libwebp versions before 1.0.1.",
      "component_hints": [
        "lossless decoder Huffman image and group parsing",
        "VP8L Huffman table allocation",
        "malformed prefix-code handling"
      ],
      "issue": "Malformed files could make libwebp allocate an excessive amount of memory while reading invalid Huffman codes, leading to denial of service.",
      "why_it_matters_for_rust": "Rust still allocates what the algorithm asks for. Without explicit caps on Huffman group counts, alphabet sizes, and derived table sizes, a safe port can still hit OOM or spend excessive CPU and memory on hostile inputs.",
      "porting_actions": [
        "Bound lossless Huffman group counts by image geometry and reject implausible values before allocating.",
        "Compute table sizes with checked arithmetic and fail early on malformed prefix-code metadata.",
        "Regression-test bogus Huffman images and sparse group-number encodings that try to inflate intermediate structures."
      ],
      "repo_evidence": [
        "original/ChangeLog:756 records commit dce5d764: 'Limit memory allocation when reading invalid Huffman codes.'",
        "original/src/dec/vp8l_dec.c:399-445 caps num_htree_groups and allocates tables from attacker-controlled counts.",
        "original/src/utils/huffman_utils.c:217-275 builds and extends variable-sized Huffman table segments."
      ],
      "detail_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36332"
    }
  ],
  "excluded_examples": [
    {
      "cve_id": "CVE-2016-9969",
      "reason": "Double free in libwebpmux. This is ownership cleanup failure that idiomatic safe Rust should eliminate."
    },
    {
      "cve_id": "CVE-2018-25014",
      "reason": "Use of uninitialized value in ReadSymbol(). Excluded from the non-memory set because the primary lesson is unsafe-memory discipline, not parser semantics that safe Rust preserves by default."
    },
    {
      "cve_id": "CVE-2023-1999",
      "reason": "Use-after-free and double-free in the lossless encoder error path. Important history, but primarily a C ownership bug."
    },
    {
      "cve_id": "CVE-2023-4863",
      "reason": "Heap buffer overflow in the lossless decoder. Critical for bitstream hardening, but still a classic memory-corruption issue rather than a non-memory bug class."
    }
  ],
  "other_dataset_entries_reviewed_but_not_selected": [
    {
      "cve_id": "CVE-2016-8888",
      "reason": "Present only as a reserved historical reference in all_cves.json; it has no published CVE/NVD record to analyze as a direct libwebp vulnerability."
    },
    {
      "cve_id": "CVE-2017-17913",
      "reason": "Keyword-only false positive tied to GraphicsMagick's libwebp compatibility, not to a direct libwebp vulnerability record."
    }
  ]
}