Closed Bug 1762614 Opened 3 years ago Closed 3 years ago

Update libopus

Categories

(Core :: Audio/Video: Playback, enhancement)

enhancement

Tracking

()

RESOLVED FIXED
101 Branch
Tracking Status
firefox-esr91 100+ fixed
firefox99 - wontfix
firefox100 + fixed
firefox101 + fixed

People

(Reporter: tjr, Assigned: tjr)

References

Details

(Keywords: csectype-bounds, sec-high, Whiteboard: [post-critsmash-triage][adv-main100+r][adv-esr91.9+r])

Attachments

(3 files, 1 obsolete file)

Attached file commits.txt —

We last updated opus 4 years ago in Bug 1487049. I've attached the list of commits between our in-tree and HEAD.

In the commits list, there were (at least) six commits that referenced fixing a buffer or integer overflow; but I don't know if we are vulnerable to those specific issues, or if they are exploitable.

Attached file commits.txt (obsolete) —
Attachment #9270460 - Attachment is obsolete: true
Attachment #9270460 - Attachment is obsolete: false
Attachment #9270461 - Attachment is obsolete: true
Blocks: 1762642

Depends on D142717

Bryce, could you identify someone to review this?

Flags: needinfo?(bvandyk)

I've put in a try run here: https://treeherder.mozilla.org/#/jobs?repo=try&revision=b92d50730d0f7b19868ef3b920b8f2ea0b3f1723

I think the files I removed were leftover artifacts (they do not exist in the upstream repo) but the build should confirm that...

:kinetik, is this something you could help wrangle?

Flags: needinfo?(bvandyk) → needinfo?(kinetik)

(In reply to Tom Ritter [:tjr] (ni? for response to CVE/sec-approval/advisories/etc) from comment #5)

I think the files I removed were leftover artifacts (they do not exist in the upstream repo) but the build should confirm that...

From a quick look, I think the Ne10 stuff is not used in our build. The x86/SSE removals are due to file renames, and appear to have been added correctly with the new names.

Patches look good - happy to review this when it's ready.

Flags: needinfo?(kinetik)

opus is being fuzzed as part of oss-fuzz, but that doesn't help us if we don't keep up with the fixes. It has not been separately fuzzed in Firefox since before oss-fuzz. It's possible some of the overflow bugs are regressions that wouldn't be in the copy of opus we have, but until we know that applies to all of them we should assume the worst.

Assignee: nobody → tom
Attachment #9270483 - Attachment description: WIP: Bug 1762614: Update libopus to 2654707e86cc94413998976d179b2ab4a2aa3114 → Bug 1762614: Update libopus to 2654707e86cc94413998976d179b2ab4a2aa3114 r?kinetik
Status: NEW → ASSIGNED
Attachment #9270484 - Attachment description: WIP: Bug 1762614: Remove unneccessary (?) files → Bug 1762614: Remove unneccessary (?) files r?kinetik

Comment on attachment 9270483 [details]
Bug 1762614: Update libopus to 2654707e86cc94413998976d179b2ab4a2aa3114 r?kinetik

Approved to land

Attachment #9270483 - Flags: sec-approval+

Comment on attachment 9270484 [details]
Bug 1762614: Remove unneccessary files r?kinetik

Approved to land

Attachment #9270484 - Flags: sec-approval+

[Tracking Requested - why for this release]: We are assuming the worst here

Attachment #9270484 - Attachment description: Bug 1762614: Remove unneccessary (?) files r?kinetik → Bug 1762614: Remove unneccessary files r?kinetik
Group: media-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 101 Branch

Comment on attachment 9270483 [details]
Bug 1762614: Update libopus to 2654707e86cc94413998976d179b2ab4a2aa3114 r?kinetik

Beta/Release Uplift Approval Request

  • User impact if declined: We think that opus may have sec-high issues latent in it.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Medium
  • Why is the change risky/not risky? (and alternatives if risky): We have tested this in Nightly but it's possible there are subtle failures or misbehaviors on uncommon platforms or videos we haven't noticed.
  • String changes made/needed:

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: We think that opus may have sec-high issues latent in it.
  • User impact if declined: They would be vulnerable.
  • Fix Landed on Version:
  • Risk to taking this patch: Medium
  • Why is the change risky/not risky? (and alternatives if risky): We have tested this in Nightly but it's possible there are subtle failures or misbehaviors on uncommon platforms or videos we haven't noticed.
Flags: needinfo?(tom)
Attachment #9270483 - Flags: approval-mozilla-esr91?
Attachment #9270483 - Flags: approval-mozilla-beta?
Attachment #9270484 - Flags: approval-mozilla-beta?
Attachment #9270484 - Flags: approval-mozilla-beta? → approval-mozilla-esr91?
Attachment #9270484 - Flags: approval-mozilla-beta?

Comment on attachment 9270483 [details]
Bug 1762614: Update libopus to 2654707e86cc94413998976d179b2ab4a2aa3114 r?kinetik

Approved for 100.0b6

Attachment #9270483 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9270484 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]

Comment on attachment 9270483 [details]
Bug 1762614: Update libopus to 2654707e86cc94413998976d179b2ab4a2aa3114 r?kinetik

Approved for 91.9esr

Attachment #9270483 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
Attachment #9270484 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main100+r][adv-esr91.9+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: