Open Bug 1673529 (Wasm-sandboxed-libraries) Opened 4 years ago Updated 5 months ago

[meta] Libraries/components to sandbox using RLBox

Categories

(Core :: Security: Process Sandboxing, task)

task

Tracking

()

People

(Reporter: deian, Unassigned)

References

(Depends on 4 open bugs, Blocks 1 open bug)

Details

(Keywords: meta)

This bug will be used to track the libraries and components sandboxed with RLBox.

In the process:

Done:

Abandoned:

Todo:

Depends on: 1677342
Depends on: 1688452
Alias: Wasm-sandboxed-libraries
Depends on: 1634283
Depends on: 1634285
Depends on: 1723399
Depends on: 1722971
Depends on: 1732201
Depends on: 1733686
Depends on: 1737704
Depends on: 1728934
Depends on: 1737707
Depends on: 1737733
Depends on: 1738095
No longer depends on: 1737733
No longer depends on: 1738095, 1733686
Depends on: 1740974
Depends on: 1747145

The bug assignee is inactive on Bugzilla, so the assignee is being reset.

Assignee: deian → nobody

So, a new vulnerability in libwebp is making the news today, that is resulting in an emergency release of Firefox 117.0.1 and a (still a 404 at this moment) link to a mozilla security announcement.

In the HN comments, someone mentioned firefox library sandboxing which led me to this bug.
Which got me to wondering. Is libwebp one of the libraries that is protected by RLBox, thus reducing the severity in Firefox? This bug seems kind of dead, so maybe the whole initiative is too, but figured I'd ask.

(In reply to nemo from comment #2)

Which got me to wondering. Is libwebp one of the libraries that is protected by RLBox, thus reducing the severity in Firefox? This bug seems kind of dead, so maybe the whole initiative is too, but figured I'd ask.

I believe we're currently shipping 6 libraries with RLBox, but that libwebp isn't one of them. I think performance may have been an issue, but we may want to reevaluate that now that we've got SIMD support in RLBox.

You need to log in before you can comment on or make changes to this bug.