Closed Bug 1105688 (CVE-2014-8001) Opened 10 years ago Closed 10 years ago

Cisco OpenH264 Media Processing Buffer Overflow Vulnerability

Categories

(Core :: WebRTC: Audio/Video, defect)

Product:
Core
Component:
WebRTC: Audio/Video
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: freddy, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

--- quote from URL ---
A vulnerability in applications that use the Cisco OpenH264 library could allow an unauthenticated, remote attacker to cause a denial of service condition or execute arbitrary code.

The vulnerability is due to improper handling of input within encoded media files. An unauthenticated, remote attacker could exploit this vulnerability to cause an application using the affected component to terminate unexpectedly or execute arbitrary code with the privileges of the targeted application.

Cisco has confirmed the vulnerability and released a software patch.

The vulnerability was reported to Cisco by HP's Zero Day Initiative and discovered by Oksana.
--- end quote ---

This is likely not as bad as it could be, since the plugin runs in a sandbox.

We were notified in August by HP's ZDI that Oksana had found two problems.  At the time we were notified they had already been found/fixed.  Here is the commit details to OpenH264 for the fixes:

******************************************************
commit 6489e7b38ad852a20f87214571fac382150dee62
Merge: e66cf53 1ec213d
Author: dongzha <dongzha@cisco.com>
Date: Tue Jul 8 12:49:42 2014 +0800
Merge pull request #1096 from huili2/early_stop_parse_rec_bug
stop early error for parse/recon MB
******************************************************
commit 0ad30516c537bf6d4359e43bbe0185db6abcf809
Merge: ab41e69 f1a0a81
Author: HaiboZhu <haibozhu@cisco.com>
Date: Sat Jul 5 13:24:10 2014 +0800
Merge pull request #1088 from huili2/crash_dpb_ec
dpb uninitial crash for EC
*******************************************************

Since you did not give any details I am going to assume that these are the same ones you are reporting here.  These vulnerabilities are not in any release of OpenH264 that is used by Firefox.
All details are in the Cisco webiste linked through the URL field of this bug. Feel free to close out, if they match.
A major news website in Germany reports about these bugs putting Firefox users at risk.
Here's what I did to confirm that we are not affected:

* The Cisco advisories link to pull requests in the "Vendor Announcements" section (the same as Ethan mentions in comment 1 – oversight on my part).
* I browsed the openh264 repository on Github and looked at the branch tagged v1.1, to ensure that the patches were indeed already included (e.g. https://github.com/cisco/openh264/blob/v1.1/codec/decoder/core/src/decode_slice.cpp). They are.
* I then looked at about:plugins to verify that Firefox is indeed using version 1.1, which we are.

This leads me to the conclusion that the Cisco security alert should have said "versions prior to 1.1 are affected". It says 1.2 and below, which doesn't make a lot of sense. There is no version 1.2
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.