Slashdot Mirror

← Back to Stories (view on slashdot.org)

MP3 Backend of Firefox and Thunderbird Found Vulnerable

Posted by samzenpus on from the protect-ya-neck dept.

jones_supa writes A critical vulnerability has been found in the MPEG-1 Layer III playback backend of Mozilla Firefox and Thunderbird. Security researcher Aki Helin reported a use-after-free scenario when playing certain audio files on the web using the Fluendo MP3 plugin for GStreamer on Linux. This is due to a flaw in handling certain MP3 files by the plugin and its interaction with Mozilla code. A maliciously crafted MP3 file can lead to a potentially exploitable crash. Linux is the only affected platform, so Windows and OS X users are safe from this particular vulnerability.

60 comments

  1. Watch what you listen by hcs_$reboot · · Score: 5, Funny

    a use-after-free scenario when playing certain audio files (...) can lead to a potentially exploitable crash

    It has been reported that the crash always happen when playing J.Bieber stuff.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
    1. Re:Watch what you listen by Anonymous Coward · · Score: 0

      You can't put a price on that - they could make a fortune

    2. Re:Watch what you listen by Anonymous Coward · · Score: 0

      Well duh, the summary -did- say malicious mp3s. Having to listen to that stuff couldn't possibly count as anything else.

    3. Re:Watch what you listen by Anonymous Coward · · Score: 0

      Other content found to cause nausea, headache, diarrhea and general malaise were noises produced by "Backstreet Boys", "Black Eyed Peas", "Britney Spears", "Celine Dion", "Christina Aguilera", "98 Degrees", "Jonas Brothers", "Kanye West", "Ke$ha", "Lady Gaga", "Lil Wayne", "Miley Cyrus", "New Kids On The Block", "Nicki Minaj", "NSYNC", "One Direction", "Skrillex", "Spice Girls" and all "rappers" worldwide, among other talentless hacks.

      If you have been exposed to any of these earsores or their ilk, please view this instructional video for immediate help.

  2. In a Plugin! by Anonymous Coward · · Score: 1

    It's not really a Firefox / Thunderbird issue if a plugin causes it.
    There's tons of plugins out there and in general they aren't of the same quality as Firefox itself. So nothing to see here.

    1. Re:In a Plugin! by gl4ss · · Score: 1

      not really if the plugin is used incorrectly.

      like the plugin is used after it's memory is freed.

      --
      world was created 5 seconds before this post as it is.
    2. Re:In a Plugin! by Anonymous Coward · · Score: 0

      There's tons of plugins out there and in general they aren't of the same quality as Firefox itself. So nothing to see here.

      This is the main solution of Firefox for playing MP3 files internally. It really should be treated with the same quality expectation than Firefox itself.

    3. Re:In a Plugin! by djsmiley · · Score: 1

      'It's not a windows issue if a program/driver/etc causes it to crash'

      Hmmmm nope.

      --
      - http://www.milkme.co.uk
    4. Re:In a Plugin! by SQLGuru · · Score: 1

      Then why do people blame Windows when it's a Flash/Java issue?

    5. Re:In a Plugin! by daveime · · Score: 1

      > This is the main solution of Firefox for playing MP3 files internally.
      Bollocks
      VLC Player is *the main solution*, and doesn't fall foul of this vulnerability,
      Your system is only as good as the weakest software you install.

  3. Garbage collectors help by Anonymous Coward · · Score: 0

    Shouldn't there be a law forbidding the use of low-level languages like C or C++ to build critical applications to avoid such common insiduous and catastrophic flaws like that ?

    1. Re:Garbage collectors help by Celarent+Darii · · Score: 2

      We would be writing everything in LISP if it wasn't for RMS.

    2. Re:Garbage collectors help by Anonymous Coward · · Score: 1

      Or use a language like Rust which aims for memory safety without garbage collection. Servo is implemented in Rust.

    3. Re:Garbage collectors help by jklovanc · · Score: 1

      I guess you don't write real-time applications where garbage collection at the wrong time can be very bad.

    4. Re: Garbage collectors help by Anonymous Coward · · Score: 1

      You've linked to two highly experimental and nearly unusable projects. Have you actually tried Servo? It doesn't even have a usable UI, for crying out loud! Rust still hasn't had a stable release, either. We were told that Rust 1.0 would be out before the end of 2014. When that failed to happen, the date then became May 2015. I don't have much faith in them meeting that deadline. Don't waste our time with these halfassed efforts, please.

    5. Re:Garbage collectors help by Needs2BeSaid · · Score: 0

      I really hope you are joking/trolling. It's really difficult to watch as more and more people view government intervention as a solution to all their problems.

      --
      Some things need to be said...
    6. Re: Garbage collectors help by Anonymous Coward · · Score: 0

      And Emacs, RMS's chief operating system after the failure of Hurd, runs on a core of what?

    7. Re:Garbage collectors help by david_thornley · · Score: 1

      Or use C++ smart pointers with a reasonable style guide, enforced by code review. So much for those use-after-free errors.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    8. Re:Garbage collectors help by Anonymous Coward · · Score: 0

      As the sheer volume of memory related security problems demonstrates, what you propose simply doesn't work in the real world. Software projects are too big, timelines are too short and it's too easy to get it wrong in C++.

    9. Re: Garbage collectors help by Celarent+Darii · · Score: 1

      The death of Symbolics was in some ways the catalyst to the death of the AI industry and LISP in general. Although the company was (very) badly managed, RMS is responsible for a lot of the infighting and political grandstanding that basically killed the company. With the death of Symbolics and the consequent poison-pill of coding politics, programming in LISP just became unprofitable and eventually died out. Granted there are many other factors, but this was one of them.

      I invite you to read the history of the MIT AI lab to see a bit of the shit that happened there.

      RMS hasn't programmed anything for a long time. He is more of an activist than engineer - always has been, always will be.

    10. Re: Garbage collectors help by Anonymous Coward · · Score: 0

      Have you actually tried Servo? It doesn't even have a usable UI

      Yes, I have. You can use servo-shell

      the date then became May 2015. I don't have much faith in them meeting that deadline.

      You don't need faith. It's software, not religion. Here's the Rust 1.0 schedule, so why whine?

      You worry too much. Relax, take a rest. You'll be happier.

  4. Royalty-free codecs help here by Anonymous Coward · · Score: 2, Insightful

    This is why it's important to have royalty-free codecs for the web that everyone is free to implement. You can choose to do your own implementation of a given codec and take direct responsibility for the security of the implementation, or ship your preferred choice of third-party implementation directly integrated with your product without any patent licensing hassle. I just hope Opus audio and NetVC video become ubiquitous sooner rather than later.

    1. Re:Royalty-free codecs help here by gnasher719 · · Score: 5, Insightful

      This is why it's important to have royalty-free codecs for the web that everyone is free to implement. You can choose to do your own implementation of a given codec and take direct responsibility for the security of the implementation, or ship your preferred choice of third-party implementation directly integrated with your product without any patent licensing hassle. I just hope Opus [opus-codec.org] audio and NetVC [tomshardware.com] video become ubiquitous sooner rather than later.

      Lame, lame, lame. This is a bug. The same bug could happen with any codec. And as proven by OpenSSL, just because people _can_ look at code and find bugs, that doesn't mean they _do_ look at the code and find bugs.

    2. Re:Royalty-free codecs help here by Anonymous Coward · · Score: 1

      This is a bug. The same bug could happen with any codec

      We're not talking about codecs as much as we're talking about implementations and what you're free to ship without a patent license. If a codec is implemented in, say, Rust, then a whole class of security problems are mitigated by the design of the language. You can implement an MP3 decoder in Rust right now, but someone has to pay the patent licensing in order to ship it, which is antithetical to the goals of many software projects and frankly to the Web in general.

    3. Re:Royalty-free codecs help here by gnasher719 · · Score: 0

      And for all those people who use operating systems written by Microsoft or Apple: Why the f*** would they care whether a Codec is royalty free or not? Apple and Microsoft are paying the royalties. And they defend against patent trolls who suddenly start demanding billions of dollars for mp3 codecs (Motorola and Google, I'm looking at you).

    4. Re:Royalty-free codecs help here by Anonymous Coward · · Score: 0

      And for all those people who use operating systems written by Microsoft or Apple: Why the fuck would they care whether a Codec is royalty free or not?

      You're saying non-technical users don't understand the technical issues. I'd say that's self-evident. You're arguing that ignorance is strength. I'll pass on that particular dystopia.

      Your anger is weird and misdirected. Sort it out, my son.

    5. Re:Royalty-free codecs help here by Kjella · · Score: 2

      This is why it's important to have royalty-free codecs for the web that everyone is free to implement. (...) I just hope Opus audio and NetVC video become ubiquitous sooner rather than later.

      At least for Opus it's probably already too late, in two-three years MP3 and AAC will be patent-free, the relevant dates seem to be respectively 16.04.2017 and 14.02.2018 so by the time Opus goes mainstream patents won't matter. That war was fought and lost sometime around Ogg Vorbis. Even if they are slightly inferior to Opus in compression they have almost universal hardware and software support and just giving them a little more bit rate negates the quality difference. A mainstream patent free video codec would be great to have though, but I'm not holding my breath. You need to get the industry support behind it and these days most cameras record in H.264, YouTube delivery is just one part of the puzzle.

      --
      Live today, because you never know what tomorrow brings
    6. Re:Royalty-free codecs help here by Anonymous Coward · · Score: 0

      You need to get the industry support behind it

      Opus is implemented by all browsers (Firefox, Chrome, Opera, IE soon) that implement WebRTC (or ORTC). Even IE will support Opus soon.

    7. Re:Royalty-free codecs help here by Anonymous Coward · · Score: 0

      I look forward to downloading Opus albums and playing them in my car's MP3 player and on my iPod. I hear they'll make great ringtones!

      I'm just having a hard time figuring out how to install IE on my GPS.

    8. Re:Royalty-free codecs help here by Anonymous Coward · · Score: 0

      And they defend against patent trolls who suddenly start demanding billions of dollars for mp3 codecs (Motorola and Google, I'm looking at you).

      LOLWUT? You realize that MS gets a royalty on every android device made right? They make more on Android than they do on Windows Phone. You've got to be trolling because people aren't really this dense.

    9. Re:Royalty-free codecs help here by bill_mcgonigle · · Score: 1

      You can implement an MP3 decoder in Rust right now, but someone has to pay the patent licensing in order to ship it, which is antithetical to the goals of many software projects and frankly to the Web in general.

      Go for it. The playback patents expire later this year - by time you're ready to ship, it'll be free of government imposition.

      The encoding patents are a bit more nebulously defined - depends on who you ask and where you live.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    10. Re:Royalty-free codecs help here by babydog · · Score: 1

      _You_ try looking inside OpenSSL. It causes bad dreams.

    11. Re:Royalty-free codecs help here by Anonymous Coward · · Score: 0

      The encoding patents are a bit more nebulously defined - depends on who you ask and where you live.

      Exactly so. It saves everyone time just to use Opus. It's better performing than MP3, suitable for a broader range of applications, and royalty-free for all use cases.

  5. Re:DANGER WILL ROBINSON! by Anonymous Coward · · Score: 0, Funny

    but, but, I know that Linux is always secure, I read it on /.

  6. Mitigation? by Anonymous Coward · · Score: 0

    Anyone have a good way to shut this off? Remove fluendo?

    1. Re:Mitigation? by Anonymous Coward · · Score: 2, Informative

      apt-get purge gstreamer1.0-fluendo-mp3

      Ubuntu also asks during installation if you want Fluendo or not.

    2. Re:Mitigation? by Anonymous Coward · · Score: 0

      Don't use a shit distro like Ubuntu (which likes to pre-package and ask you to install all this useless shit) and do something better like Gentoo, where you can actually control what's put on your system.

  7. Enough with April fools jokes! by Anonymous Coward · · Score: 0

    Fed ex of Slashvertisements!

    Did I say 'ex'. I meant 'up'!

  8. A closed-source component is responsible for this by opus_magnum · · Score: 0, Troll

    Imagine that.

  9. Does any distro install this package by default? by Anonymous Coward · · Score: 0

    I'm looking on Linux Mint and the gstreamer@v@-fluendo-mp3 package is not installed. But I'm still wondering if the other gstreamer library packages (plugins-bad/base/good/etc) that include dozens and dozens of codecs include this anyway.

    Or a better question: Does firefox package this along with the browser? Can it be disabled, removed?

  10. So it affects like 2 users? by Anonymous Coward · · Score: 1

    I best get removing the guilty parties.

    Personally, I blame systemd for this.

    If we weren't all either bitching about systemd on the web, or fixing systemd's failings, someone might have got this earlier.

  11. Critical? by stevez67 · · Score: 2

    Any more that means the media have nothing else to scream about so trivial issues become "critical".

  12. Re:A closed-source component is responsible for th by Anonymous Coward · · Score: 4, Funny

    But only on an open source operating system, in an open source browser.

    I guess the quality of software written for closed source operating systems and browsers is just better.

  13. Time for sandboxing with Genode.org by Anonymous Coward · · Score: 0

    Time to sandbox every data stream in a separate sandbox.

    This OS does it from the ground up.

    http://genode.org/

  14. headline omits keywords: LINUX ONLY by monkeyzoo · · Score: 1

    Linux is the only affected platform, so Windows and OS X users are safe from this particular vulnerability.

    The fact that this is Linux only and not Windows or OS X really should be in the headline! Although I use Linux, this key element makes the news about 21% as important. (Write me back and I will explain the complex equation by which I arrived at that figure.) ;-)

    1. Re: headline omits keywords: LINUX ONLY by Anonymous Coward · · Score: 0

      Are there any distros that have fluenda installed by default? Ubuntu 14.04.2 doesn't.

  15. One word by Anonymous Coward · · Score: 0

    Heartbleed.

  16. Re:Does any distro install this package by default by Anonymous Coward · · Score: 0

    Yeah, I'm not totally sure myself, but it seems to me it's not even available on Gentoo, where we use the MAD Gstreamer decoder plugin for MP3 decoding...

    From http://fedoraproject.org/wiki/Installing_the_Fluendo_MP3_plugin the plugin should be located at: /usr/lib/gstreamer-1.0/libgstflump3dec.so (and I don't have it, even with gst-plugins-bad and media-libs/gst-plugins-ugly installed).

    From https://bugs.gentoo.org/show_bug.cgi?id=281083 they say the plugin was included in gst-plugins-bad, but this dates back to 2009, so things may have changed...

    Hmmmm... http://cgit.freedesktop.org/gstreamer/gst-plugins-bad/tree/gst/mpegdemux actually says the plugin originated from Fluendo, but is this really the version talked about in the very (intentionally?) limited report, or a simple fork for which the issue may have been fixed long ago, while not fixed in the official Fluendo version which apparently few really use?

    Or does Mozilla ships the plugin themselves? It does not seem to be included in the files installed by Firefox on Gentoo, unless it's been statically linked inside some other file... Even if Mozilla ships it, it's very possible Gentoo does not install it, to use the libraries available on the system...

    The Mozilla bug report is still private even though the fix is supposed to be already shipped in Firefox 37...

    The relation between Fluendo and Gstreamer is quite blurry too... They employed the main Gstreamer devs for some time, then they left and founded another company, but gstreamer.com is still owned by Fluendo, but they link to the Freedesktop servers to get Gstreamer...

  17. Known crash since 2014 by Anonymous Coward · · Score: 1

    This is actually a little less malicious than you'd think. Firefox has been known to crash when attempting to play HTML5 audio directly to your operating system's media handling framework. You can turn it off and go back to default behavior by going to about:config and turning off media.gstreamer.* or media.windows-media-foundation.*

  18. What Do You Expect by Anonymous Coward · · Score: 0

    What do you expect when Mozilla staff are focused on creating a Swiss army knife of a browser (sound like Netscape anybody)? They roll video and audio playback, chat, and other frills into the core and leave it to extensions to fix core functionality issues. Of course the more complicated they make the browser, the more vulnerabilities it will have. Who here remembers when Seamonkey was the only Mozilla product and the dumped it for Firefox because then Firefox was only a 4 MB download? It's time to clean house again.

    1. Re:What Do You Expect by Anonymous Coward · · Score: 0

      They roll video and audio playback, chat, and other frills into the core

      So... like every other browser that supports HTML5. If you don't like HTML5 then you'll need to boycott all of the major browsers.

  19. Re:DANGER WILL ROBINSON! by Anonymous Coward · · Score: 0

    This is like blaming Windows because a user downloads cracked files filled with malware. You have to purposefully download or run untrusted mp3s. This isn't a linux wide thing, it's a "vulnerability" in a browser based on a plugin. That's pretty deep down the rabbit hole to blame an OS for, aside from that this isn't even a very exploitable bug aside from causing crashing.

    https://www.owasp.org/index.php/Using_freed_memory

  20. How do I remove this garbage from Debian Wheezy? by Anonymous Coward · · Score: 0

    It seems completely ingrained in my system. How do I get rid of it?

  21. Re:A closed-source component is responsible for th by Anonymous Coward · · Score: 0

    And closed-source OSs don't suffer the same problem.
     
    Imagine that!

  22. Who the hell uses fluendo? by Anonymous Coward · · Score: 0

    There are other GStreamer plugins that provide mp3 playback and don't depend on Fluendo's bullshit.

    1. Re:Who the hell uses fluendo? by Anonymous Coward · · Score: 0

      like vlc? is that acceptable solution?

  23. MP3 Audio Explanation? by ZeroEpoch · · Score: 0

    Could someone provide a link to an MP3 from an untrusted random site that I can listen to which explains how this vulnerability work? Reading is hard!