Slashdot Mirror

← Back to Stories (view on slashdot.org)

MP3 Backend of Firefox and Thunderbird Found Vulnerable

Posted by samzenpus on from the protect-ya-neck dept.

jones_supa writes A critical vulnerability has been found in the MPEG-1 Layer III playback backend of Mozilla Firefox and Thunderbird. Security researcher Aki Helin reported a use-after-free scenario when playing certain audio files on the web using the Fluendo MP3 plugin for GStreamer on Linux. This is due to a flaw in handling certain MP3 files by the plugin and its interaction with Mozilla code. A maliciously crafted MP3 file can lead to a potentially exploitable crash. Linux is the only affected platform, so Windows and OS X users are safe from this particular vulnerability.

24 of 60 comments (clear)

  1. Watch what you listen by hcs_$reboot · · Score: 5, Funny

    a use-after-free scenario when playing certain audio files (...) can lead to a potentially exploitable crash

    It has been reported that the crash always happen when playing J.Bieber stuff.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  2. In a Plugin! by Anonymous Coward · · Score: 1

    It's not really a Firefox / Thunderbird issue if a plugin causes it.
    There's tons of plugins out there and in general they aren't of the same quality as Firefox itself. So nothing to see here.

    1. Re:In a Plugin! by gl4ss · · Score: 1

      not really if the plugin is used incorrectly.

      like the plugin is used after it's memory is freed.

      --
      world was created 5 seconds before this post as it is.
    2. Re:In a Plugin! by djsmiley · · Score: 1

      'It's not a windows issue if a program/driver/etc causes it to crash'

      Hmmmm nope.

      --
      - http://www.milkme.co.uk
    3. Re:In a Plugin! by SQLGuru · · Score: 1

      Then why do people blame Windows when it's a Flash/Java issue?

    4. Re:In a Plugin! by daveime · · Score: 1

      > This is the main solution of Firefox for playing MP3 files internally.
      Bollocks
      VLC Player is *the main solution*, and doesn't fall foul of this vulnerability,
      Your system is only as good as the weakest software you install.

  3. Royalty-free codecs help here by Anonymous Coward · · Score: 2, Insightful

    This is why it's important to have royalty-free codecs for the web that everyone is free to implement. You can choose to do your own implementation of a given codec and take direct responsibility for the security of the implementation, or ship your preferred choice of third-party implementation directly integrated with your product without any patent licensing hassle. I just hope Opus audio and NetVC video become ubiquitous sooner rather than later.

    1. Re:Royalty-free codecs help here by gnasher719 · · Score: 5, Insightful

      This is why it's important to have royalty-free codecs for the web that everyone is free to implement. You can choose to do your own implementation of a given codec and take direct responsibility for the security of the implementation, or ship your preferred choice of third-party implementation directly integrated with your product without any patent licensing hassle. I just hope Opus [opus-codec.org] audio and NetVC [tomshardware.com] video become ubiquitous sooner rather than later.

      Lame, lame, lame. This is a bug. The same bug could happen with any codec. And as proven by OpenSSL, just because people _can_ look at code and find bugs, that doesn't mean they _do_ look at the code and find bugs.

    2. Re:Royalty-free codecs help here by Anonymous Coward · · Score: 1

      This is a bug. The same bug could happen with any codec

      We're not talking about codecs as much as we're talking about implementations and what you're free to ship without a patent license. If a codec is implemented in, say, Rust, then a whole class of security problems are mitigated by the design of the language. You can implement an MP3 decoder in Rust right now, but someone has to pay the patent licensing in order to ship it, which is antithetical to the goals of many software projects and frankly to the Web in general.

    3. Re:Royalty-free codecs help here by Kjella · · Score: 2

      This is why it's important to have royalty-free codecs for the web that everyone is free to implement. (...) I just hope Opus audio and NetVC video become ubiquitous sooner rather than later.

      At least for Opus it's probably already too late, in two-three years MP3 and AAC will be patent-free, the relevant dates seem to be respectively 16.04.2017 and 14.02.2018 so by the time Opus goes mainstream patents won't matter. That war was fought and lost sometime around Ogg Vorbis. Even if they are slightly inferior to Opus in compression they have almost universal hardware and software support and just giving them a little more bit rate negates the quality difference. A mainstream patent free video codec would be great to have though, but I'm not holding my breath. You need to get the industry support behind it and these days most cameras record in H.264, YouTube delivery is just one part of the puzzle.

      --
      Live today, because you never know what tomorrow brings
    4. Re:Royalty-free codecs help here by bill_mcgonigle · · Score: 1

      You can implement an MP3 decoder in Rust right now, but someone has to pay the patent licensing in order to ship it, which is antithetical to the goals of many software projects and frankly to the Web in general.

      Go for it. The playback patents expire later this year - by time you're ready to ship, it'll be free of government imposition.

      The encoding patents are a bit more nebulously defined - depends on who you ask and where you live.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    5. Re:Royalty-free codecs help here by babydog · · Score: 1

      _You_ try looking inside OpenSSL. It causes bad dreams.

  4. Re:Garbage collectors help by Celarent+Darii · · Score: 2

    We would be writing everything in LISP if it wasn't for RMS.

  5. Re:Garbage collectors help by Anonymous Coward · · Score: 1

    Or use a language like Rust which aims for memory safety without garbage collection. Servo is implemented in Rust.

  6. Re:Garbage collectors help by jklovanc · · Score: 1

    I guess you don't write real-time applications where garbage collection at the wrong time can be very bad.

  7. Re:Mitigation? by Anonymous Coward · · Score: 2, Informative

    apt-get purge gstreamer1.0-fluendo-mp3

    Ubuntu also asks during installation if you want Fluendo or not.

  8. So it affects like 2 users? by Anonymous Coward · · Score: 1

    I best get removing the guilty parties.

    Personally, I blame systemd for this.

    If we weren't all either bitching about systemd on the web, or fixing systemd's failings, someone might have got this earlier.

  9. Critical? by stevez67 · · Score: 2

    Any more that means the media have nothing else to scream about so trivial issues become "critical".

  10. Re:A closed-source component is responsible for th by Anonymous Coward · · Score: 4, Funny

    But only on an open source operating system, in an open source browser.

    I guess the quality of software written for closed source operating systems and browsers is just better.

  11. headline omits keywords: LINUX ONLY by monkeyzoo · · Score: 1

    Linux is the only affected platform, so Windows and OS X users are safe from this particular vulnerability.

    The fact that this is Linux only and not Windows or OS X really should be in the headline! Although I use Linux, this key element makes the news about 21% as important. (Write me back and I will explain the complex equation by which I arrived at that figure.) ;-)

  12. Re: Garbage collectors help by Anonymous Coward · · Score: 1

    You've linked to two highly experimental and nearly unusable projects. Have you actually tried Servo? It doesn't even have a usable UI, for crying out loud! Rust still hasn't had a stable release, either. We were told that Rust 1.0 would be out before the end of 2014. When that failed to happen, the date then became May 2015. I don't have much faith in them meeting that deadline. Don't waste our time with these halfassed efforts, please.

  13. Known crash since 2014 by Anonymous Coward · · Score: 1

    This is actually a little less malicious than you'd think. Firefox has been known to crash when attempting to play HTML5 audio directly to your operating system's media handling framework. You can turn it off and go back to default behavior by going to about:config and turning off media.gstreamer.* or media.windows-media-foundation.*

  14. Re:Garbage collectors help by david_thornley · · Score: 1

    Or use C++ smart pointers with a reasonable style guide, enforced by code review. So much for those use-after-free errors.

    --
    "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  15. Re: Garbage collectors help by Celarent+Darii · · Score: 1

    The death of Symbolics was in some ways the catalyst to the death of the AI industry and LISP in general. Although the company was (very) badly managed, RMS is responsible for a lot of the infighting and political grandstanding that basically killed the company. With the death of Symbolics and the consequent poison-pill of coding politics, programming in LISP just became unprofitable and eventually died out. Granted there are many other factors, but this was one of them.

    I invite you to read the history of the MIT AI lab to see a bit of the shit that happened there.

    RMS hasn't programmed anything for a long time. He is more of an activist than engineer - always has been, always will be.