Closed Bug 1538814 Opened 4 years ago Closed 3 years ago

Third party libvpx dependencies are stale (possibly vulnerable)


(Core :: Audio/Video: Playback, task, P3)






(Reporter: mhoye, Unassigned)



(Keywords: sec-audit)

Under media/libvpx/libvpx/third_party:

  • Most importantly: recent libWebm updates solve several memory leaks/null-deref errors, including one CVE (CVE-2018-19212) is more recent than what we have in-tree. The code impacted by that CVE doesn't appear to be something we import, but I'm hoping we can double-check.

Other stuff:

  • documentation references outdated URLs. Code that used to be at is now at for example.

  • Some other files, including some .asm files we rely on, have been recently updated to improve warning messages and error handling.

Keywords: sec-audit
Flags: needinfo?(drno)
Group: core-security → media-core-security

Is this fully covered by bug 1525393 or is there more to do here?

Depends on: 1525393
Flags: needinfo?(dminor)

The 1.8.0 release of libvpx is dated 2019-01-31 so should include the fix for the CVE mentioned above.
We also have libwebm as third party dependency of libaom, so that would need to be updated as well.

In both cases, libwebm seems to be dead code. Searchfox shows it as unused and I can rm -rf both of the libwebm directories on my local build without any effect.

Flags: needinfo?(dminor)

I guess the question is: should remove these unused directories from our imports?

But that makes future imports harder. Not sure if that is worth the trouble.

Flags: needinfo?(drno)
Priority: -- → P3

Bug 1525393 has landed to update libvpx. Some webRTC code has been disabled to accommodate this, and will likely be restored when we pull webrtc again in future.

Daniel, is there anything else we should do here? Can we close this bug?

Flags: needinfo?(dveditz)

That should be everything, thanks!

Closed: 3 years ago
Flags: needinfo?(dveditz)
Resolution: --- → FIXED
Type: enhancement → task
Group: media-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.