Chrome libvpx 0day
Categories
(Core :: Audio/Video, defect)
Tracking
()
People
(Reporter: freddy, Assigned: RyanVM)
References
Details
(Keywords: csectype-bounds, reporter-external, sec-critical, Whiteboard: [adv-main118.0.1+][adv-esr115.3.1+])
Attachments
(6 files, 3 obsolete files)
8.88 KB,
text/plain
|
Details | |
1.96 KB,
text/plain
|
Details | |
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-release+
RyanVM
:
approval-mozilla-esr115+
RyanVM
:
sec-approval+
|
Details | Review |
324 bytes,
text/plain
|
Details | |
1.59 KB,
text/html
|
Details | |
17.02 KB,
text/plain
|
Details |
Chrome is affected by a 0day bug exploiting a vulnerability in libvpx, which is exposed through the WebCodec API.
We do not support the API but use libvpx elsewhere (mostly WebRTC) and should therefore investigate if this affects us and how fast we want to ship an update.
I'm rating this sec-critical, in case it is a Firefox 0day. Naturally, we want to rank this down if it isn't.
Reporter | ||
Comment 1•9 months ago
|
||
Reporter | ||
Comment 2•9 months ago
|
||
Updated•9 months ago
|
Comment 3•9 months ago
|
||
libvpx patch: https://chromium.googlesource.com/webm/libvpx/+/3fbd1dca6a4d2dad332a2110d646e4ffef36d590%5E%21/
webcodec patch (for comparison, not relevant to us):
https://chromium.googlesource.com/chromium/src/+/dd8d9efe3251e33dfe19fa0163626aa1b35946d0
Comment 4•9 months ago
•
|
||
We are not vulnerable to the Chrome exploit that's in the wild, which uses Web Codecs APIs that Firefox does not support (yet). But WebRTC can encode using VP8 and it's possible the bug could be triggered in Firefox by manipulating input streams to that.
Update: we later discovered that the MediaRecorder API also uses the vulnerable libvpx encoder, and we believe it could be used to trigger the vulnerability in Firefox.
Assignee | ||
Updated•9 months ago
|
Assignee | ||
Comment 5•9 months ago
|
||
Cherry-pick of upstream libvpx commit:
https://chromium.googlesource.com/webm/libvpx/+/3fbd1dca6a4d2dad332a2110d646e4ffef36d590
Assignee | ||
Comment 6•9 months ago
|
||
Comment 7•9 months ago
|
||
I'll mark this as csectype-bounds, as the description of this from Chrome's release notes is:
"[1486441] High CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-09-25"
Updated•9 months ago
|
Updated•9 months ago
|
Comment 8•9 months ago
|
||
Comment on attachment 9355423 [details]
Bug 1855550 - VP8: disallow thread count changes.
Security Approval Request
- How easily could an exploit be constructed based on the patch?: I assume not hard given the 0-day for chrome (if they figure out that MediaRecorder could be a vector, and MediaRecorder actually triggers it in an exploitable way)
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: trivial
- How likely is this patch to cause regressions; how much testing does it need?: Almost impossible to cause regressions
- Is Android affected?: Yes
Beta/Release Uplift Approval Request
- User impact if declined: active 0-day
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Trivial safe change
- String changes made/needed: none
- Is Android affected?: Yes
Updated•9 months ago
|
Assignee | ||
Comment 9•9 months ago
|
||
Comment on attachment 9355423 [details]
Bug 1855550 - VP8: disallow thread count changes.
Per discussion in the incident Slack channel, we're going to move forward with shipping this fix ASAP. Approved for 118.0.1, 119.0b3, and 115.3.1esr.
Comment 10•9 months ago
|
||
Pushed by rvandermeulen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c53f5ef77b62 VP8: disallow thread count changes. r=jesup
Comment 11•9 months ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/0862c284dac0
Comment 12•9 months ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c
Comment 13•9 months ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-esr115/rev/749617c4473c
Comment 14•9 months ago
|
||
Comment 15•9 months ago
|
||
Comment 16•9 months ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-esr115/rev/5241232a3292
Assignee | ||
Updated•9 months ago
|
Assignee | ||
Updated•9 months ago
|
Comment 17•9 months ago
|
||
Updated•9 months ago
|
Updated•9 months ago
|
Assignee | ||
Comment 18•9 months ago
|
||
Comment 19•9 months ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #4)
Update: we later discovered that the MediaRecorder API also uses the vulnerable libvpx encoder, and we believe it could be used to trigger the vulnerability in Firefox.
In Thunderbird, it seems difficult to reach the media recording code by viewing a web page, because there is no code to grant permission to the camera (said mkmelin), so video recording might be impossible.
However, we cannot rule out than an Add-on with higher privileges might trigger media recording, so it might be best to update Thunderbird, too.
Comment 20•9 months ago
|
||
You can use MediaRecorder with any MediaStream, including HTMLCanvasElement.captureStream()
Comment 21•9 months ago
|
||
Daniel, thanks a lot for this clarification.
Then we should also do an urgent update for Thunderbird.
Comment 23•9 months ago
|
||
Comment 24•9 months ago
|
||
Comment 25•9 months ago
|
||
The ASAN log from Christian's MediaRecorder testcase (attachment 9355617 [details]) are a beautiful match for the VideoRecorder testcase ASAN log from the Chrome bug.
The crashing threads are identical below mozilla::VP8TrackEncoder::Encode
and media::VpxVideoEncoder::Encode
, and the allocating threads are identical below mozilla::VP8TrackEncoder::Reconfigure
and media::VpxVideoEncoder::ChangeOptions
Updated•9 months ago
|
Updated•6 months ago
|
Updated•1 month ago
|
Updated•1 month ago
|
Updated•28 days ago
|
Updated•15 days ago
|
Description
•