Closed Bug 1105722 Opened 10 years ago Closed 10 years ago

Remote Code Execution Bug in OpenH264 <=1.2.0, Firefox uses 1.1

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Version:
33 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: reginald.barclay, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141113143407

Steps to reproduce:

Cisco published two vunlerability alerts about their OpenH264 library, both with Remote Code Execution capability for software that uses it, in versions <=1.2.0.

Firefox 33.1.1 downloads and uses a v1.1 build from ciscobinary.openh264.org, so seems vulnerable.


Actual results:

The Austrian National CERT seems the only one who published about this with reference to Firefox up to now, see https://cert.at/warnings/all/20141127.html (german language).


Expected results:

New OpenH264 build plus FF version that uses it plus security advisory from Mozilla.
Severity: normal → critical
Component: Untriaged → Security
OS: Linux → All
mreavy?
Component: Security → Video/Audio
Flags: needinfo?(mreavy)
Product: Firefox → Core
I believe those issues were filed in our bugzilla in the open by fbraun earlier today: Bug 1105685 and Bug 1105688.  Quoting Freddy (fbraun): "This is likely not as bad as it could be, since the plugin runs in a sandbox."  

We should update the plugin and publish a new one as soon as it is available.
Flags: needinfo?(mreavy)
I hope the "sandboxing mitigates the worst of it" assumption holds true, at least until a new version has shipped. The issue has been essentially public since Nov 24th.
We were notified in August by HP's ZDI that Oksana had found two problems.  At the time we were notified they had already been found/fixed.  Here is the commit details to OpenH264 for the fixes:

******************************************************
commit 6489e7b38ad852a20f87214571fac382150dee62
Merge: e66cf53 1ec213d
Author: dongzha <dongzha@cisco.com>
Date: Tue Jul 8 12:49:42 2014 +0800
Merge pull request #1096 from huili2/early_stop_parse_rec_bug
stop early error for parse/recon MB
******************************************************
commit 0ad30516c537bf6d4359e43bbe0185db6abcf809
Merge: ab41e69 f1a0a81
Author: HaiboZhu <haibozhu@cisco.com>
Date: Sat Jul 5 13:24:10 2014 +0800
Merge pull request #1088 from huili2/crash_dpb_ec
dpb uninitial crash for EC
*******************************************************


I believe the versioning in the CERT is incorrect.  1.0 is affected which is why we removed it from our RELEASES file.
You mean the version info in the Cisco vuln. alert is wrong? That'd be good news, indeed.

http://tools.cisco.com/security/center/viewAlert.x?alertId=36501 says: "Applications using Cisco OpenH264 versions 1.2.0 and prior are affected."
Yes, I meant the Cisco Vulnerability Alert.  

Also, I have the original reports of these from HP ZDI if anyone on the security team wants to double-check.
OK, I think that closing the issue.

Thanks!
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
To help catch future searches these vuln reports were for CVE-2014-8001 and CVE-2014-8002
Group: core-security
You need to log in before you can comment on or make changes to this bug.