Closed Bug 1690976 (CVE-2021-23973) Opened 1 year ago Closed 1 year ago

MediaError message property can leak information about cross-origin media resource

Categories

(Core :: Audio/Video: Playback, defect, P2)

58 Branch
defect

Tracking

()

RESOLVED FIXED
87 Branch
Tracking Status
firefox-esr78 86+ fixed
firefox85 --- wontfix
firefox86 --- fixed
firefox87 --- fixed

People

(Reporter: pehrsons, Assigned: pehrsons)

References

Details

(Keywords: csectype-sop, sec-low, Whiteboard: [adv-main86+][adv-esr78.8+])

Attachments

(3 files)

Similarly to bug 1450853, but while decoding instead of loading -- and setting the error through this path. I don't think this could leak any response status, but it can leak information about the content of the media resource. Things like this or this.

+++ This bug was initially created as a clone of Bug #1450853 +++

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
Build ID: 20180208173149

Steps to reproduce:

1- Visit: https://output.jsbin.com/nejatopusi
2- Enter a URL in the input box, click the "Test" button
The URL will be loaded as the src of an audio element.

Actual results:

The message property of the MediaError interface contains a different string for resources that loads successfully. This allows an attacker to infer the response status for a cross-origin resource.

Expected results:

Cross-origin response status should not be detectable by scripts unless necessary CORS headers are sent by the server.

Landed:
https://hg.mozilla.org/integration/autoland/rev/ff2dd7ee09b6281c248b046757c69dab70bb77e7
https://hg.mozilla.org/integration/autoland/rev/d119750e84691214a66216a053cb4a69209d0a2a

Backed out for failing modified test_decode_error_crossorigin.html:

https://hg.mozilla.org/integration/autoland/rev/283cfdca9a408ba3ac2e1c8b458e40eb1937d594

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel%2Crunnable&revision=d119750e84691214a66216a053cb4a69209d0a2a
Failure log: https://treeherder.mozilla.org/logviewer?job_id=329195723&repo=autoland

[task 2021-02-08T09:37:13.402Z] 09:37:13 INFO - TEST-PASS | dom/media/test/test_decode_error_crossorigin.html | At least one test led to src-not-supported
[task 2021-02-08T09:37:13.402Z] 09:37:13 INFO - Buffered messages finished
[task 2021-02-08T09:37:13.404Z] 09:37:13 INFO - TEST-UNEXPECTED-FAIL | dom/media/test/test_decode_error_crossorigin.html | At least one test led to a decode error
[task 2021-02-08T09:37:13.405Z] 09:37:13 INFO - SimpleTest.ok@SimpleTest/SimpleTest.js:417:16
[task 2021-02-08T09:37:13.405Z] 09:37:13 INFO - manager.onFinished@dom/media/test/test_decode_error_crossorigin.html:62:7
[task 2021-02-08T09:37:13.406Z] 09:37:13 INFO - MediaTestManager/this.nextTest@dom/media/test/manifest.js:2201:14
[task 2021-02-08T09:37:13.406Z] 09:37:13 INFO - MediaTestManager/this.finished@dom/media/test/manifest.js:2162:12
[task 2021-02-08T09:37:13.407Z] 09:37:13 INFO - startTest/<@dom/media/test/test_decode_error_crossorigin.html:36:13

Group: core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Flags: needinfo?(apehrson)
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch

Comment on attachment 9201357 [details]
Bug 1690976 - Don't reveal error details for CORS-cross-origin decoding errors. r?bryce!,r?sstreich!

Beta/Release Uplift Approval Request

  • User impact if declined: An adversary could figure out certain details about a media file on a third-party origin if we are able to load it but during playback exhibit an error.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This simply adds a case where we change the message component of an error to a default string. No threading changes, no lifetime changes.
  • String changes made/needed:

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: An adversary could figure out certain details about a media file on a third-party origin if we are able to load it but during playback exhibit an error.
  • Fix Landed on Version: 87
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This simply adds a case where we change the message component of an error to a default string. No threading changes, no lifetime changes.
  • String or UUID changes made by this patch:
Attachment #9201357 - Flags: approval-mozilla-esr78?
Attachment #9201357 - Flags: approval-mozilla-beta?
Attachment #9201356 - Flags: approval-mozilla-beta?
Attachment #9201356 - Flags: approval-mozilla-esr78?

Comment on attachment 9201357 [details]
Bug 1690976 - Don't reveal error details for CORS-cross-origin decoding errors. r?bryce!,r?sstreich!

Approved for beta and esr, thanks.

Attachment #9201357 - Flags: approval-mozilla-esr78?
Attachment #9201357 - Flags: approval-mozilla-esr78+
Attachment #9201357 - Flags: approval-mozilla-beta?
Attachment #9201357 - Flags: approval-mozilla-beta+
Attachment #9201356 - Flags: approval-mozilla-esr78?
Attachment #9201356 - Flags: approval-mozilla-esr78+
Attachment #9201356 - Flags: approval-mozilla-beta?
Attachment #9201356 - Flags: approval-mozilla-beta+
QA Whiteboard: [qa-triaged]
Flags: qe-verify-
Whiteboard: [adv-main86+]
Whiteboard: [adv-main86+] → [adv-main86+][adv-esr78.8+]
Attached file advisory.txt
Alias: CVE-2021-23973
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.