If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Remote Code Execution Bug in OpenH264 <=1.2.0, Firefox uses 1.1

RESOLVED INVALID

Status

()

Core
Audio/Video
--
critical
RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: Robert W., Unassigned)

Tracking

33 Branch
x86
All
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141113143407

Steps to reproduce:

Cisco published two vunlerability alerts about their OpenH264 library, both with Remote Code Execution capability for software that uses it, in versions <=1.2.0.

Firefox 33.1.1 downloads and uses a v1.1 build from ciscobinary.openh264.org, so seems vulnerable.


Actual results:

The Austrian National CERT seems the only one who published about this with reference to Firefox up to now, see https://cert.at/warnings/all/20141127.html (german language).


Expected results:

New OpenH264 build plus FF version that uses it plus security advisory from Mozilla.
(Reporter)

Updated

3 years ago
Severity: normal → critical
Component: Untriaged → Security
OS: Linux → All

Comment 1

3 years ago
mreavy?
Component: Security → Video/Audio
Flags: needinfo?(mreavy)
Product: Firefox → Core
I believe those issues were filed in our bugzilla in the open by fbraun earlier today: Bug 1105685 and Bug 1105688.  Quoting Freddy (fbraun): "This is likely not as bad as it could be, since the plugin runs in a sandbox."  

We should update the plugin and publish a new one as soon as it is available.
Flags: needinfo?(mreavy)
(Reporter)

Comment 3

3 years ago
I hope the "sandboxing mitigates the worst of it" assumption holds true, at least until a new version has shipped. The issue has been essentially public since Nov 24th.

Comment 4

3 years ago
We were notified in August by HP's ZDI that Oksana had found two problems.  At the time we were notified they had already been found/fixed.  Here is the commit details to OpenH264 for the fixes:

******************************************************
commit 6489e7b38ad852a20f87214571fac382150dee62
Merge: e66cf53 1ec213d
Author: dongzha <dongzha@cisco.com>
Date: Tue Jul 8 12:49:42 2014 +0800
Merge pull request #1096 from huili2/early_stop_parse_rec_bug
stop early error for parse/recon MB
******************************************************
commit 0ad30516c537bf6d4359e43bbe0185db6abcf809
Merge: ab41e69 f1a0a81
Author: HaiboZhu <haibozhu@cisco.com>
Date: Sat Jul 5 13:24:10 2014 +0800
Merge pull request #1088 from huili2/crash_dpb_ec
dpb uninitial crash for EC
*******************************************************


I believe the versioning in the CERT is incorrect.  1.0 is affected which is why we removed it from our RELEASES file.
(Reporter)

Comment 5

3 years ago
You mean the version info in the Cisco vuln. alert is wrong? That'd be good news, indeed.

http://tools.cisco.com/security/center/viewAlert.x?alertId=36501 says: "Applications using Cisco OpenH264 versions 1.2.0 and prior are affected."

Comment 6

3 years ago
Yes, I meant the Cisco Vulnerability Alert.  

Also, I have the original reports of these from HP ZDI if anyone on the security team wants to double-check.

Comment 7

3 years ago
The Cisco Vulnerability Alerts now have the correct versions:
http://tools.cisco.com/security/center/viewAlert.x?alertId=36500
http://tools.cisco.com/security/center/viewAlert.x?alertId=36501
(Reporter)

Comment 8

3 years ago
OK, I think that closing the issue.

Thanks!
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
To help catch future searches these vuln reports were for CVE-2014-8001 and CVE-2014-8002
Group: core-security
You need to log in before you can comment on or make changes to this bug.