Are we affected by CVE-2023-5129 ?

[ariselseng]

thumbor/thumbor#1591

Maybe a simple rebuild of the image is enough to fix it?

[gingerlime]

Thanks for bringing this up. The main docker image for Thumbor is based on python:3.11. Could you help chase down the dependency tree to see if it was patched? there was also a mention of Pillow which I'm not 100% sure about.

I'll go ahead and try to rebuild it anyway. But it'd be worth double-checking that it does indeed fix the CVE rather than just blindly assume it would.

[gingerlime]

I pushed a new image, based on python:3.11 with sha256: 2e376990a11f1c1e03796d08db0e99c36eadb4bb6491372b227f1e53c3482914. Not sure if it fixes the CVE unfortunately or how to check. Would appreciate some help from the community here.

[ariselseng]

I think it can be verified, at least partly, with running this in the container:

apt update && apt list --upgradeable|grep webp

If there is no result, then it means it have the latest package available.
The Pillow dependency in thumbor I am not sure about.

[Speedy1991]

@ariselseng I dont think this will work as expected. I tried apt list --installed on a plain thumbor instance and webp isn't even installed there.

The only package I'm aware of is the pillow package using the webp-dev package (with my superficial knowledge how dev packages work: these are just the header files with a peerdependency on webp)

So my guess is:
webp is (pre)compiled by pip when you install pillow and stored in the site_packages, but this is only a wild guess

apt list --installed | grep webp dosen't show up anything, but Pillow is still finding it - that means it is installed with webp support anyhow :)

Python 3.11.4 (main, Jul  4 2023, 05:51:40) [GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from PIL import features
>>> features.check_module('webp')
True

€dit:
In conclusion I think there must be an update in the setup.py to pillow 10.0.1 to get this fixed. I already tried this locally but there are breaking changes :/

[gingerlime]

Thank you @Speedy1991. Then I guess we should report this upstream? even though it was already mentioned (EDIT: I didn't realize it was you, haha)

[gingerlime]

@heynemann can you look into what it means to upgrade Pillow? it's possible that Thumbor is currently vulnerable to this webp vulnerability currently? (I'm not even sure how to verify it, but it is potentially a high-risk issue)

[ariselseng]

In the mean time. Is it possible to disable webp input in thumbor?

[anselm-helbig]

Pillow is shipping with libwebp. When building it from source it should use the OS' packages, I didn't succeed in forcing it to do so for our Docker deployment yet. I was following the instructions from Ben Hawkes blog to produce a proof-of-concept webp image. When serving it with thumbor, I get a stacktrace like this:

2023-09-29 15:36:26 thumbor:ERROR ERROR: Traceback (most recent call last):
  File "/home/apprunner/.local/lib/python3.11/site-packages/thumbor/handlers/__init__.py", line 214, in get_image
    result = await self._fetch(self.context.request.image_url)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/apprunner/.local/lib/python3.11/site-packages/thumbor/handlers/__init__.py", line 956, in _fetch
    raise fetch_result.exception
  File "/home/apprunner/.local/lib/python3.11/site-packages/thumbor/handlers/__init__.py", line 924, in _fetch
    self.context.request.engine.load(fetch_result.buffer, extension)
  File "/home/apprunner/.local/lib/python3.11/site-packages/thumbor/engines/__init__.py", line 201, in load
    image_or_frames = self.create_image(buffer)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/apprunner/.local/lib/python3.11/site-packages/thumbor/engines/pil.py", line 109, in create_image
    img = Image.open(BytesIO(buffer))
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/apprunner/.local/lib/python3.11/site-packages/PIL/Image.py", line 3282, in open
    im = _open_core(
         ^^^^^^^^^^^
  File "/home/apprunner/.local/lib/python3.11/site-packages/PIL/Image.py", line 3263, in _open_core
    im = factory(fp, filename)
         ^^^^^^^^^^^^^^^^^^^^^
  File "/home/apprunner/.local/lib/python3.11/site-packages/PIL/ImageFile.py", line 117, in __init__
    self._open()
  File "/home/apprunner/.local/lib/python3.11/site-packages/PIL/WebPImagePlugin.py", line 62, in _open
    self._decoder = _webp.WebPAnimDecoder(self.fp.read())
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
OSError: could not create decoder object

2023-09-29 15:36:26 thumbor:ERROR [BaseHandler] get_image failed for url `development/666.webp`. error: `could not create decoder object`

As the image is not going to be anything that can be displayed, we might also get an error with the patched libwebp, hopefully a different one.

Upgrading Pillow to the most recent version is not an option as Thumbor requires Pillow 9.*. Only Pillow 10.0.1 seems to be fixed, there has been no release in the 9.x series recently.

Possible solutions:

• patch Pillow 9.x
• make Thumbor work with Pillow 10.x and use the patched version
• build Pillow from source

As Thumbor is handling user data and usually has access to some kind of cloud storage, it's probably an interesting target for hackers. Any other ideas for how we can mitigate the risk? Currently, either building Pillow from source or forking the 9.x series seem to be the most straightforward solutions.

[heynemann]

Will work on this on the weekend, but if someone wants to tackle this in thumbor, it would be AWESOME :) I can provide help to fix thumbor to use the new pillow version.

[ariselseng]

I think this is fixed in upstream now. Is it possible to close this issue now with a new build?

[gingerlime]

That's great. Did they release a new version with the fix?

[gingerlime]

Looks like the latest is 7.5.2 from July https://pypi.org/project/thumbor/#history @heynemann can you push a new version to pypi? and then we can rebuild the docker image as well.

[gingerlime]

SIMD images are still using Pillow 9.x unfortunately which seems vulnerable. See #141 and uploadcare/pillow-simd#129

[homm]

This changes are unrelated to Pillow-simd, which doesn’t have binary builds. It always uses system-provided versions of libraries

[gingerlime]

Thank you @homm. Can someone test which version of libwebp is used with the SIMD image? (or perhaps help with instructions on how to verify it conclusively).

[gingerlime]

@anselm-helbig perhaps you can help?

[gingerlime]

Closing due to inactivity.