Third party libvpx dependencies are stale (possibly vulnerable)
Categories
(Core :: Audio/Video: Playback, task, P3)
Tracking
()
People
(Reporter: mhoye, Unassigned)
References
Details
(Keywords: sec-audit)
Under media/libvpx/libvpx/third_party:
- Most importantly: recent libWebm updates solve several memory leaks/null-deref errors, including one CVE (CVE-2018-19212) is more recent than what we have in-tree. The code impacted by that CVE doesn't appear to be something we import, but I'm hoping we can double-check.
Other stuff:
-
documentation references outdated URLs. Code that used to be at https://git.videolan.org/ is now at https://code.videolan.org for example.
-
Some other files, including some .asm files we rely on, have been recently updated to improve warning messages and error handling.
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
||
Comment 1•5 years ago
|
||
Is this fully covered by bug 1525393 or is there more to do here?
|
||
Comment 2•5 years ago
|
||
The 1.8.0 release of libvpx is dated 2019-01-31 so should include the fix for the CVE mentioned above.
We also have libwebm as third party dependency of libaom, so that would need to be updated as well.
In both cases, libwebm seems to be dead code. Searchfox shows it as unused and I can rm -rf both of the libwebm directories on my local build without any effect.
|
||
Comment 3•5 years ago
|
||
I guess the question is: should remove these unused directories from our imports?
But that makes future imports harder. Not sure if that is worth the trouble.
|
|
||
Updated•5 years ago
|
Bug 1525393 has landed to update libvpx. Some webRTC code has been disabled to accommodate this, and will likely be restored when we pull webrtc again in future.
Daniel, is there anything else we should do here? Can we close this bug?
|
|
||
Comment 5•4 years ago
|
||
That should be everything, thanks!
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
Description
•