Closed Bug 1661261 Opened 4 years ago Closed 4 years ago

Update brotli to 1.0.9

Categories

(Core :: Graphics: Text, task, P3)

Product:
Core
Component:
Graphics: Text
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
82 Branch
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox-esr78 --- fixed
firefox79 --- wontfix
firefox80 --- wontfix
firefox81 --- fixed
firefox82 --- fixed

People

(Reporter: RyanVM, Assigned: RyanVM)

References

Details

(Whiteboard: [third-party-lib-audit][gfx-noted])

Attachments

(1 file)

Bug 1661261 - Update brotli to 1.0.9. r=jfkthame
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr78+
Details | Review

+++ This bug was initially created as a clone of Bug #1507525 +++

Changes since 1.0.7:

  • SECURITY: fix integer overflow when input chunk is longer than 2GiB

To be honest, I don't know how serious this issue is in practice for us. Obviously we might as well take this going forward, but is this something likely to actually hit us in the real world where it would make us want to backport also?

Flags: needinfo?(jfkthame)

TBH, I don't know what the implications of hitting this would be, but I guess it probably leads into undefined behavior territory where all bets are off, and someone somewhere might find a way to do bad things with it.

If it depends on feeding brotli an input payload that is >2GB as a starting point, that would tend to make it less attractive as a vector; many users would probably hit an out-of-memory crash before reaching this point.

Still, assuming it lands on central without issues, I think I'd be inclined to backport given that the fix is public, and may inspire somebody to try and stress-test it.

Flags: needinfo?(jfkthame)

Got re-released as 1.0.9 to address a build packaging issue. No code changes from 1.0.8.

Summary: Update brotli to 1.0.8 → Update brotli to 1.0.9
Attachment #9172198 - Attachment description: Bug 1661261 - Update brotli to 1.0.8. r=jfkthame → Bug 1661261 - Update brotli to 1.0.9. r=jfkthame

https://hg.mozilla.org/mozilla-central/rev/4fb36e0374ed

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox82: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch

Comment on attachment 9172198 [details]
Bug 1661261 - Update brotli to 1.0.9. r=jfkthame

Beta/Release Uplift Approval Request

  • User impact if declined: Possible sec issue
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This has baked on Nightly and has good upstream test coverage, including oss-fuzz.
  • String changes made/needed:
Attachment #9172198 - Flags: approval-mozilla-esr78?
Attachment #9172198 - Flags: approval-mozilla-beta?

Comment on attachment 9172198 [details]
Bug 1661261 - Update brotli to 1.0.9. r=jfkthame

Approved for 81.0b8 and 78.3esr.

Attachment #9172198 - Flags: approval-mozilla-esr78?
Attachment #9172198 - Flags: approval-mozilla-esr78+
Attachment #9172198 - Flags: approval-mozilla-beta?
Attachment #9172198 - Flags: approval-mozilla-beta+
Blocks: 1850991
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: