Closed Bug 1874258 Opened 1 year ago Closed 1 year ago

CVE-2023-6879 for bundled aom - firefox and thunderbird

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: yhang_wang, Unassigned)

References

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

CVE-2023-6879 is impacting aom. A back-porting or update may be required for aom. is there any plan to have it updated or patched?

https://nvd.nist.gov/vuln/detail/CVE-2023-6879

I rebuilt firefox/thunderbird with latest aom and all look good. the aom commit id I use is 7f3058e0c8b3c711f4173b23b888bda8d7acd952.

Flags: sec-bounty?

btw, firefox/thunderbird version I rebuilt : 115..6.0.

Group: firefox-core-security → media-core-security
Component: Security → Audio/Video: Playback
Product: Firefox → Core

I don't believe Firefox ESR 115 uses libaom (we use libdav1d), although an old copy is in the tree and there are still some left over prefs that let people turn off dav1d and fallback to libaom if they dig under the hood.

We are going to use the encoder for WebRTC, so we WONTFIXED the "get rid of the code" bug 1635296 and are hooking libaom up to our library update system in bug 1868615.

Depends on: 1868615

thank you for the update and info. I'll keep watching;)

I was slightly wrong: the plan for the encoder was to use it for the Web Codecs spec, not WebRTC. But essentially the same -- we're not currently using this, and the bug that's referenced was in the decoder which we have no plan to use

Group: media-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → INVALID
See Also: → https://bugs.chromium.org/p/aomedia/issues/detail?id=3491
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.