Closed Bug 1480092 Opened 6 years ago Closed 6 years ago

WebRTC: Use-after-free in VP8 Block Decoding

Categories

(Core :: WebRTC: Audio/Video, defect, P1)

Product:
Core
Component:
WebRTC: Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 62+ fixed
firefox61 --- wontfix
firefox62 + fixed
firefox63 + fixed

People

(Reporter: posidron, Assigned: dminor)

References

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [post-critsmash-triage][adv-main62+][adv-esr60.2+])

Attachments

(1 file)

Bug 1480092 - Cherrypick rev 52add5896661d186dec284ed646a4b33b607d2c7; r=drno
46 bytes, text/x-phabricator-request
drno
: review+
RyanVM
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr60+
abillings
: sec-approval+
Details | Review 
From Google's Project Zero:

WebRTC: Use-after-free in VP8 Block Decoding
https://bugs.chromium.org/p/project-zero/issues/detail?id=1575
Group: core-security → media-core-security
Again the same situation: Project Zero discloses and the Chromium bug is still not accessible.
Rank: 5
Priority: -- → P1
Dan can you check if you can find out the commit which fixed this upstream?
Flags: needinfo?(dveditz)
Assignee: nobody → dminor
Given the chrome bug # given in the GPZ bug it should be this one:
https://chromium.googlesource.com/webm/libvpx/+/52add5896661d186dec284ed646a4b33b607d2c7
Flags: needinfo?(dveditz)
That looks very plausible. Dan can you look into cherry picking that fix into our affected versions?
Flags: needinfo?(dminor)
Since this is fixed on head and not the v1.7.0 release, we'll need to carry
the patch until the next release of libvpx.
Sure thing.
Flags: needinfo?(dminor)
Comment on attachment 8998165 [details]
Bug 1480092 - Cherrypick rev 52add5896661d186dec284ed646a4b33b607d2c7; r=drno

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Not easily.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No, but the upstream patch mentions that it fixes a UAF.

Which older supported branches are affected by this flaw?
All.

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
No, but easy to create, this is a one liner.

How likely is this patch to cause regressions; how much testing does it need?
Unlikely, patch has already in use upstream.
Attachment #8998165 - Flags: sec-approval?
:drno, the review in phabricator says I need to make revisions to proceed. Based on your LGTM, I assume you meant to leave a r+ but something went wrong. Please let me know.
Flags: needinfo?(drno)
(In reply to Dan Minor [:dminor] from comment #8)
> :drno, the review in phabricator says I need to make revisions to proceed.
> Based on your LGTM, I assume you meant to leave a r+ but something went
> wrong. Please let me know.

Thanks for pinging me. That was pretty clearly a UI bug in phabricator. I did select "accept" and then typed my comment. Apparently typing my comment reset the drop down to the default value :-(
Flags: needinfo?(drno)
Comment on attachment 8998165 [details]
Bug 1480092 - Cherrypick rev 52add5896661d186dec284ed646a4b33b607d2c7; r=drno

Nils Ohlmeier [:drno] has approved the revision.
Attachment #8998165 - Flags: review+
Comment on attachment 8998165 [details]
Bug 1480092 - Cherrypick rev 52add5896661d186dec284ed646a4b33b607d2c7; r=drno

sec-approval+ for trunk. We'll want Beta and ESR60 patches nominated too.
Attachment #8998165 - Flags: sec-approval? → sec-approval+
Comment on attachment 8998165 [details]
Bug 1480092 - Cherrypick rev 52add5896661d186dec284ed646a4b33b607d2c7; r=drno

Approval Request Comment
[Feature/Bug causing the regression]:
This is a bug in an upstream library.
[User impact if declined]:
Security problems.
[Is this code covered by automated tests?]:
No.
[Has the fix been verified in Nightly?]:
No, but this is a patch from upstream which has been verified in Chrome.
[Needs manual test from QE? If yes, steps to reproduce]:
No. 
[List of other uplifts needed for the feature/fix]:
None.
[Is the change risky?]:
No.
[Why is the change risky/not risky?]:
This is a cherrypick of an upstream patch.
[String changes made/needed]:
None.
Attachment #8998165 - Flags: approval-mozilla-beta?
Comment on attachment 8998165 [details]
Bug 1480092 - Cherrypick rev 52add5896661d186dec284ed646a4b33b607d2c7; r=drno

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: 
Fix Landed on Version:
Risk to taking this patch (and alternatives if risky): 
String or UUID changes made by this patch: 

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8998165 - Flags: approval-mozilla-esr60?
https://hg.mozilla.org/mozilla-central/rev/16aa20e2e300
Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox63: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Comment on attachment 8998165 [details]
Bug 1480092 - Cherrypick rev 52add5896661d186dec284ed646a4b33b607d2c7; r=drno

Fixes a sec-high. Approved for 62.0b18 and ESR 60.2.
Attachment #8998165 - Flags: approval-mozilla-esr60?
Attachment #8998165 - Flags: approval-mozilla-esr60+
Attachment #8998165 - Flags: approval-mozilla-beta?
Attachment #8998165 - Flags: approval-mozilla-beta+
Whiteboard: [adv-main62+][adv-esr60.2+]
Flags: qe-verify-
Whiteboard: [adv-main62+][adv-esr60.2+] → [post-critsmash-triage][adv-main62+][adv-esr60.2+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: