MP3 Backend of Firefox and Thunderbird Found Vulnerable

jones_supa writes A critical vulnerability has been found in the MPEG-1 Layer III playback backend of Mozilla Firefox and Thunderbird. Security researcher Aki Helin reported a use-after-free scenario when playing certain audio files on the web using the Fluendo MP3 plugin for GStreamer on Linux. This is due to a flaw in handling certain MP3 files by the plugin and its interaction with Mozilla code. A maliciously crafted MP3 file can lead to a potentially exploitable crash. Linux is the only affected platform, so Windows and OS X users are safe from this particular vulnerability.

Watch what you listen

[hcs_$reboot]

a use-after-free scenario when playing certain audio files (...) can lead to a potentially exploitable crash

It has been reported that the crash always happen when playing J.Bieber stuff.

Royalty-free codecs help here

This is why it's important to have royalty-free codecs for the web that everyone is free to implement. You can choose to do your own implementation of a given codec and take direct responsibility for the security of the implementation, or ship your preferred choice of third-party implementation directly integrated with your product without any patent licensing hassle. I just hope Opus audio and NetVC video become ubiquitous sooner rather than later.

Re:Royalty-free codecs help here

[gnasher719]

This is why it's important to have royalty-free codecs for the web that everyone is free to implement. You can choose to do your own implementation of a given codec and take direct responsibility for the security of the implementation, or ship your preferred choice of third-party implementation directly integrated with your product without any patent licensing hassle. I just hope Opus [opus-codec.org] audio and NetVC [tomshardware.com] video become ubiquitous sooner rather than later.

Lame, lame, lame. This is a bug. The same bug could happen with any codec. And as proven by OpenSSL, just because people _can_ look at code and find bugs, that doesn't mean they _do_ look at the code and find bugs.

Re:Royalty-free codecs help here

[Kjella]

This is why it's important to have royalty-free codecs for the web that everyone is free to implement. (...) I just hope Opus audio and NetVC video become ubiquitous sooner rather than later.

At least for Opus it's probably already too late, in two-three years MP3 and AAC will be patent-free, the relevant dates seem to be respectively 16.04.2017 and 14.02.2018 so by the time Opus goes mainstream patents won't matter. That war was fought and lost sometime around Ogg Vorbis. Even if they are slightly inferior to Opus in compression they have almost universal hardware and software support and just giving them a little more bit rate negates the quality difference. A mainstream patent free video codec would be great to have though, but I'm not holding my breath. You need to get the industry support behind it and these days most cameras record in H.264, YouTube delivery is just one part of the puzzle.

Re:Garbage collectors help

[Celarent+Darii]

We would be writing everything in LISP if it wasn't for RMS.

Re:Mitigation?

apt-get purge gstreamer1.0-fluendo-mp3

Ubuntu also asks during installation if you want Fluendo or not.

Critical?

[stevez67]

Any more that means the media have nothing else to scream about so trivial issues become "critical".

Re:A closed-source component is responsible for th

But only on an open source operating system, in an open source browser.

I guess the quality of software written for closed source operating systems and browsers is just better.