Status

()

defect
P2
normal
Rank:
15
RESOLVED FIXED
a year ago
4 months ago

People

(Reporter: tjr, Assigned: dminor)

Tracking

(Blocks 2 bugs, {sec-want})

unspecified
mozilla63
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 wontfix, firefox-esr60 wontfix, firefox58 wontfix, firefox59- wontfix, firefox60 wontfix, firefox61 wontfix, firefox62 wontfix, firefox63 fixed)

Details

(Whiteboard: [third-party-lib-audit] [sec-triage-backlog][adv-main63-])

Attachments

(3 attachments)

Reporter

Description

a year ago
This is a (semi-)automated bug making you aware that there is an available upgrade for an embedded third-party library. You can leave this bug open, and it will be updated if a newer version of the library becomes available. If you close it as WONTFIX, please indicate if you do not wish to receive any future bugs upon new releases of the library.

libvpx is currently at version 1.6.1 in mozilla-central, and the latest version of the library released is 1.7.0. 

I fetched the latest version of the library from https://chromium.googlesource.com/webm/libvpx/+refs.



The release notes say:

>  - Bug fixes:
>    A variety of fuzzing issues.

I skimmed through a few commits and found 


vp9_quantize_ssse3_x86_64: fix out of bounds write
https://chromium.googlesource.com/webm/libvpx/+/84a7263d4c124919718aca2a7eef1a218216917b

two crash fixes
https://chromium.googlesource.com/webm/libvpx/+/9f36419bf21a5922ffc32c289e09dd9fa0eb4eb2
https://chromium.googlesource.com/webm/libvpx/+/81d66e2cc6ca895051f51373b540a842b888df9e

There's probably more but I stopped after the out of bounds write.
Note that we already have bug 1426988 filed for one known issues in 1.6.1.
See Also: → 1426988

Comment 2

a year ago
The "two crash fixes" listed are for bug 1426988

Comment 3

a year ago
I just test updated android directly from 1.6.1 to 1.7.0.

The updated script needed --disable-avx512

Other than that, no changes. Let me know if anything weird crops up.
Keywords: sec-high
I suggest we use bug 1426988 to uplift only the sec patches to Beta (and potentially other branches) and land the update to libvpx 1.7.0 on 60 and let it ride the trains.
Duplicate of this bug: 1433650
Group: core-security → media-core-security
Rank: 15
Priority: -- → P2
Just for the record: RyanVM convinced me in bug 1426988 to land bug 1426988 on central.
I'm going to untrack this for 60 as the sec fix landed separately in bug 1426988.
Is updating libvpx still a security issue with bug 1426988 fixed?
Reporter

Comment 10

a year ago
(In reply to Frederik Braun [:freddyb] from comment #9)
> Is updating libvpx still a security issue with bug 1426988 fixed?

There's https://chromium.googlesource.com/webm/libvpx/+/84a7263d4c124919718aca2a7eef1a218216917b - I'm not sure if we're affected by it.
MediaRecoder doesn't support vp9 encoding, but it looks like we'd be vulnerable through WebRTC. The patch is one line and looks safe enough to uplift to 59 beta. I'll open a follow-up bug.
Reporter

Comment 12

a year ago
I used a new script to look through old vpx commits. 

It found:
45daecb4f73a47ab3236a29a3a48c52324cbf19a - vp8_decode_frame: fix oob read on truncated key frame
4ffdf60b85d2ad7f93ef451e4ec3be30ca797232 - described as a divide by zero, but links to a restricted bug
519fed01c2846ab9294543a3d2d65efaa51ec85b - described as an asan crash

I don't think we've investigated these.

84a7263d4c124919718aca2a7eef1a218216917b - out of bound write - Bug 1443865 FIXED

There were a lot (20+) commits about integer overflows.
Depends on: 1426988
With bug 1443865 and bug 1426988 fixed, maybe this one here is more of a maintenance bug and less of a security bug?
(In reply to Frederik Braun [:freddyb] from comment #13)
> With bug 1443865 and bug 1426988 fixed, maybe this one here is more of a
> maintenance bug and less of a security bug?
Flags: needinfo?(giles)
Rillian has left Mozilla
Flags: needinfo?(giles) → needinfo?(drno)
(In reply to Frederik Braun [:freddyb] (Unavailable until August 20th) from comment #13)
> With bug 1443865 and bug 1426988 fixed, maybe this one here is more of a
> maintenance bug and less of a security bug?

Yes I think you are right that this mostly a maintenance bug now. It should be safe to open it up.
Flags: needinfo?(drno)
Whiteboard: [third-party-lib-audit] → [third-party-lib-audit] [sec-triage-backlog]
Dan, do you have enough cycles to take care of this update?
Flags: needinfo?(dminor)
Assignee

Updated

10 months ago
Assignee: nobody → dminor
Status: NEW → ASSIGNED
Flags: needinfo?(dminor)
Assignee

Comment 19

10 months ago
Because webrtc.org updates are managed separately from libvpx updates, attempting
to apply this patch just leads to merge conflicts while doing a libvpx update.
Assignee

Comment 21

10 months ago
This disables building avx512 due to difficulty in getting a working set of
compiler flags across our supported platforms. Rather than carrying this patch
forward, we should revisit supporting avx512 when we do the next update.
Comment on attachment 8998529 [details]
Bug 1433158 - Disable avx512 in libvpx; r=jya

Jean-Yves Avenard [:jya] has approved the revision.
Attachment #8998529 - Flags: review+
Comment on attachment 8998527 [details]
Bug 1433158 - Update libvpx to 1.7.0; r=jya

Jean-Yves Avenard [:jya] has approved the revision.
Attachment #8998527 - Flags: review+
Comment on attachment 8998526 [details]
Bug 1433158 - Remove vp9_svc.patch; r=jya

Jean-Yves Avenard [:jya] has approved the revision.
Attachment #8998526 - Flags: review+

Comment 27

10 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/607f7fbeaeb4
https://hg.mozilla.org/mozilla-central/rev/04a7c8e2ab6d
https://hg.mozilla.org/mozilla-central/rev/6ffffe663eb9
Status: ASSIGNED → RESOLVED
Last Resolved: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Looks like this requires a CLOBBER file touch. mihir ran into this build error after updating his mozilla-central clone today:
> 0:02.99 make[4]: *** No rule to make target `$SRC/media/libvpx/libvpx/vp8/encoder/x86/quantize_ssse3.c', needed by `quantize_ssse3.o'.  Stop.

The quantize_ssse3.c source file was removed in this bug (specifically, in this gigantic update commit: https://hg.mozilla.org/mozilla-central/rev/04a7c8e2ab6d )

So, seems likely that our build system isn't automatically able to clean up after that file removal, so we need to bump CLOBBER to avoid other folks running into the same problem that mihir hit.

Comment 29

10 months ago
Pushed by dholbert@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/90a8b7d09a4b
followup: touch CLOBBER file to avoid bustage from libvpx update. rs=jya
Not that it matters much, but it seems that the patches here added a stray .orig file into the tree: media/libvpx/libvpx/vp9/vp9_cx_iface.c.orig
Assignee

Comment 32

10 months ago
(In reply to twisniewski from comment #31)
> Not that it matters much, but it seems that the patches here added a stray
> .orig file into the tree: media/libvpx/libvpx/vp9/vp9_cx_iface.c.orig

Oops. That will get removed by the next update. Not sure if it is worth removing it before then.
Keywords: sec-highsec-want
Whiteboard: [third-party-lib-audit] [sec-triage-backlog] → [third-party-lib-audit] [sec-triage-backlog][adv-main63-]
Depends on: 1523611
You need to log in before you can comment on or make changes to this bug.