Update libtheora to SVN r16702 to fix a possibly exploitable bug

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
9 years ago
7 years ago

People

(Reporter: kinetik, Assigned: kinetik)

Tracking

1.9.2 Branch
Points:
---
Bug Flags:
blocking1.9.2 +

Firefox Tracking Flags

(status1.9.2 beta4-fixed)

Details

Attachments

(1 attachment)

(Assignee)

Description

9 years ago
From #theora:
15:48 < kinetik> 1.1 will be in 3.6
15:48 < derf> kinetik: I highly recommend you apply the patch in r16702, then.
15:50 < derf> I didn't actually do the analysis to see if that bug lead to an exploitable vulnerability.
15:50 < derf> But I figure better safe than sorry.
15:53 < kinetik> does a similar problem exist on the 1.0 code?
15:53 < derf> kinetik: No. That code was all-new in 1.1.
15:54 < derf> It was part of the changes needed to actually check malloc() returns.
(Assignee)

Comment 1

9 years ago
This should probably block 1.9.2.  1.9.1 is not affected as we've still got Theora 1.0 there.  I'll get a patch up ASAP.
Assignee: nobody → kinetik
Flags: blocking1.9.2?
Flags: blocking1.9.2? → blocking1.9.2+
(Assignee)

Comment 2

9 years ago
Created attachment 412758 [details] [diff] [review]
patch v0
Attachment #412758 - Flags: review?(chris.double)

Comment 3

9 years ago
Comment on attachment 412758 [details] [diff] [review]
patch v0

Does README_MOZILLA need to be updated to state the svn revision?
Attachment #412758 - Flags: review?(chris.double) → review+
(Assignee)

Comment 4

9 years ago
It was! :-)

-The subversion revision used was r16584.
+The subversion revision used was r16712.

Comment 5

9 years ago
Doh, so it was!
I've done the analysis now, and I don't believe the bug is exploitable with the code as shipped (i.e., with OC_HUFF_SLUSH #define'd to 1). But again, better safe than sorry.
(In reply to comment #6)
> I've done the analysis now, and I don't believe the bug is exploitable with the
> code as shipped (i.e., with OC_HUFF_SLUSH #define'd to 1). But again, better
> safe than sorry.

Do you know of anybody or any distro that has changes that would make this exploitable (I assume OC_HUFF_SLUSH == 0 would be bad)? I can bring this up on vendor-sec if you think it's possible that some distro would actually be vulnerable to this.
Setting OC_HUFF_SLUSH to 0 should have caused a segfault on almost every Theora file in existence. I'm pretty sure if a distro had done that, they would have noticed.
(Assignee)

Comment 9

9 years ago
http://hg.mozilla.org/mozilla-central/rev/75fe32a53fa6
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Whiteboard: [needs landing] → [needs 192 landing]
(Assignee)

Comment 10

9 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/59085da1989e
status1.9.2: --- → final-fixed
Whiteboard: [needs 192 landing]
Group: core-security
You need to log in before you can comment on or make changes to this bug.