Closed Bug 529197 Opened 14 years ago Closed 14 years ago

Update libtheora to SVN r16702 to fix a possibly exploitable bug

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Version:
1.9.2 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- beta4-fixed

People

(Reporter: kinetik, Assigned: kinetik)

Details

Attachments

(1 file)

patch v0
6.54 KB, patch
cajbir
: review+
Details | Diff | Splinter Review 
From #theora:
15:48 < kinetik> 1.1 will be in 3.6
15:48 < derf> kinetik: I highly recommend you apply the patch in r16702, then.
15:50 < derf> I didn't actually do the analysis to see if that bug lead to an exploitable vulnerability.
15:50 < derf> But I figure better safe than sorry.
15:53 < kinetik> does a similar problem exist on the 1.0 code?
15:53 < derf> kinetik: No. That code was all-new in 1.1.
15:54 < derf> It was part of the changes needed to actually check malloc() returns.
This should probably block 1.9.2.  1.9.1 is not affected as we've still got Theora 1.0 there.  I'll get a patch up ASAP.
Assignee: nobody → kinetik
Flags: blocking1.9.2?
Flags: blocking1.9.2? → blocking1.9.2+
Attached patch patch v0Splinter Review 

        Attachment #412758 -
        Flags: review?(chris.double)

    
    

    
  
Comment on attachment 412758 [details] [diff] [review]
patch v0

Does README_MOZILLA need to be updated to state the svn revision?

        Attachment #412758 -
        Flags: review?(chris.double) → review+

    
    

    
  
It was! :-)

-The subversion revision used was r16584.
+The subversion revision used was r16712.

    
    

    
  
Doh, so it was!

    
    

    
  
I've done the analysis now, and I don't believe the bug is exploitable with the code as shipped (i.e., with OC_HUFF_SLUSH #define'd to 1). But again, better safe than sorry.

    
    

    
  
(In reply to comment #6)
> I've done the analysis now, and I don't believe the bug is exploitable with the
> code as shipped (i.e., with OC_HUFF_SLUSH #define'd to 1). But again, better
> safe than sorry.

Do you know of anybody or any distro that has changes that would make this exploitable (I assume OC_HUFF_SLUSH == 0 would be bad)? I can bring this up on vendor-sec if you think it's possible that some distro would actually be vulnerable to this.

    
    

    
  
Setting OC_HUFF_SLUSH to 0 should have caused a segfault on almost every Theora file in existence. I'm pretty sure if a distro had done that, they would have noticed.

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/75fe32a53fa6
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: [needs landing] → [needs 192 landing]
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.