Update libopus
Categories
(Core :: Audio/Video: Playback, enhancement)
Tracking
()
People
(Reporter: tjr, Assigned: tjr)
References
Details
(Keywords: csectype-bounds, sec-high, Whiteboard: [post-critsmash-triage][adv-main100+r][adv-esr91.9+r])
Attachments
(3 files, 1 obsolete file)
43.18 KB,
text/plain
|
Details | |
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
diannaS
:
approval-mozilla-esr91+
tjr
:
sec-approval+
|
Details | Review |
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
diannaS
:
approval-mozilla-esr91+
tjr
:
sec-approval+
|
Details | Review |
We last updated opus 4 years ago in Bug 1487049. I've attached the list of commits between our in-tree and HEAD.
In the commits list, there were (at least) six commits that referenced fixing a buffer or integer overflow; but I don't know if we are vulnerable to those specific issues, or if they are exploitable.
Assignee | ||
Comment 1•3 years ago
|
||
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 2•3 years ago
|
||
Depends on D142711
Assignee | ||
Comment 3•3 years ago
|
||
Depends on D142717
Assignee | ||
Comment 4•3 years ago
|
||
Bryce, could you identify someone to review this?
Assignee | ||
Comment 5•3 years ago
|
||
I've put in a try run here: https://treeherder.mozilla.org/#/jobs?repo=try&revision=b92d50730d0f7b19868ef3b920b8f2ea0b3f1723
I think the files I removed were leftover artifacts (they do not exist in the upstream repo) but the build should confirm that...
:kinetik, is this something you could help wrangle?
Comment 7•3 years ago
|
||
(In reply to Tom Ritter [:tjr] (ni? for response to CVE/sec-approval/advisories/etc) from comment #5)
I think the files I removed were leftover artifacts (they do not exist in the upstream repo) but the build should confirm that...
From a quick look, I think the Ne10 stuff is not used in our build. The x86/SSE removals are due to file renames, and appear to have been added correctly with the new names.
Patches look good - happy to review this when it's ready.
Comment 8•3 years ago
|
||
opus is being fuzzed as part of oss-fuzz, but that doesn't help us if we don't keep up with the fixes. It has not been separately fuzzed in Firefox since before oss-fuzz. It's possible some of the overflow bugs are regressions that wouldn't be in the copy of opus we have, but until we know that applies to all of them we should assume the worst.
Updated•3 years ago
|
Updated•3 years ago
|
Assignee | ||
Comment 9•3 years ago
|
||
Comment on attachment 9270483 [details]
Bug 1762614: Update libopus to 2654707e86cc94413998976d179b2ab4a2aa3114 r?kinetik
Approved to land
Assignee | ||
Comment 10•3 years ago
|
||
Comment on attachment 9270484 [details]
Bug 1762614: Remove unneccessary files r?kinetik
Approved to land
Assignee | ||
Comment 11•3 years ago
|
||
[Tracking Requested - why for this release]: We are assuming the worst here
Comment 12•3 years ago
|
||
Landed:
https://hg.mozilla.org/integration/autoland/rev/26d845c1cc155e29fe06e0e011f8c192814d4122
https://hg.mozilla.org/integration/autoland/rev/f863c6888fe74e7705c991e2a257f0470318baba
Backed out for causing android arm build bustages
https://hg.mozilla.org/integration/autoland/rev/389511345c7cf93cd7136ce5d0279fae4ff28cb5
Push with bustage: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry&revision=f863c6888fe74e7705c991e2a257f0470318baba&selectedTaskRun=K03YkWglRne38XWwlMqi1g.0
Failure log: https://treeherder.mozilla.org/logviewer?job_id=373624334&repo=autoland
[task 2022-04-06T16:31:34.866Z] 16:31:34 ERROR - gmake[4]: *** No rule to make target 'celt_pitch_xcorr_arm-gnu.s', needed by 'celt_pitch_xcorr_arm-gnu.o'. Stop.
Updated•3 years ago
|
Updated•3 years ago
|
Comment 13•3 years ago
|
||
Update libopus to 2654707e86cc94413998976d179b2ab4a2aa3114 r=kinetik
https://hg.mozilla.org/integration/autoland/rev/394ca0b838e119778df65fe81a2485c4455f5c71
https://hg.mozilla.org/mozilla-central/rev/394ca0b838e1
Remove unneccessary files r=kinetik
https://hg.mozilla.org/integration/autoland/rev/a1f2c91e87c17b607e007d2cc5a6d2e7b3300c0a
https://hg.mozilla.org/mozilla-central/rev/a1f2c91e87c1
Assignee | ||
Comment 14•3 years ago
|
||
Comment on attachment 9270483 [details]
Bug 1762614: Update libopus to 2654707e86cc94413998976d179b2ab4a2aa3114 r?kinetik
Beta/Release Uplift Approval Request
- User impact if declined: We think that opus may have sec-high issues latent in it.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): We have tested this in Nightly but it's possible there are subtle failures or misbehaviors on uncommon platforms or videos we haven't noticed.
- String changes made/needed:
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: We think that opus may have sec-high issues latent in it.
- User impact if declined: They would be vulnerable.
- Fix Landed on Version:
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): We have tested this in Nightly but it's possible there are subtle failures or misbehaviors on uncommon platforms or videos we haven't noticed.
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Comment 15•3 years ago
|
||
Comment on attachment 9270483 [details]
Bug 1762614: Update libopus to 2654707e86cc94413998976d179b2ab4a2aa3114 r?kinetik
Approved for 100.0b6
Updated•3 years ago
|
Comment 16•3 years ago
|
||
uplift |
Updated•3 years ago
|
Comment 17•3 years ago
|
||
Comment on attachment 9270483 [details]
Bug 1762614: Update libopus to 2654707e86cc94413998976d179b2ab4a2aa3114 r?kinetik
Approved for 91.9esr
Updated•3 years ago
|
Comment 18•3 years ago
|
||
uplift |
Updated•3 years ago
|
Updated•2 years ago
|
Description
•