1673529 - (Wasm-sandboxed-libraries) [meta] Libraries/components to sandbox using RLBox

Status: NEW

(Core :: Security: Process Sandboxing, task)

Description

[Deian Stefan]

This bug will be used to track the libraries and components sandboxed with RLBox.

In the process:

• nestegg
• libtremor
• sountouch
• libexpat
• libopus

Done:

• hunspell
• libGraphite
• libOgg container parsing

Abandoned:

• prio
• vorbis

Todo:

• espeak

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The bug assignee is inactive on Bugzilla, so the assignee is being reset.

Comment 2

[nemo]

So, a new vulnerability in libwebp is making the news today, that is resulting in an emergency release of Firefox 117.0.1 and a (still a 404 at this moment) link to a mozilla security announcement.

In the HN comments, someone mentioned firefox library sandboxing which led me to this bug.
Which got me to wondering. Is libwebp one of the libraries that is protected by RLBox, thus reducing the severity in Firefox? This bug seems kind of dead, so maybe the whole initiative is too, but figured I'd ask.

Comment 3

[Bobby Holley (:bholley)]

(In reply to nemo from comment #2)

Which got me to wondering. Is libwebp one of the libraries that is protected by RLBox, thus reducing the severity in Firefox? This bug seems kind of dead, so maybe the whole initiative is too, but figured I'd ask.

I believe we're currently shipping 6 libraries with RLBox, but that libwebp isn't one of them. I think performance may have been an issue, but we may want to reevaluate that now that we've got SIMD support in RLBox.