Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

libvpx: 1.7.0 -> 1.8.1 #60826

Closed
wants to merge 1 commit into from
Closed

libvpx: 1.7.0 -> 1.8.1 #60826

wants to merge 1 commit into from

Conversation

@nh2
Copy link
Contributor

nh2 commented May 3, 2019

Motivation for this change

New version, and gstreamer 1.16's plugin requires a newer version or it won't be compiled in.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
    • No, Firefox issue, see above
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@nh2
Copy link
Contributor Author

nh2 commented May 3, 2019

Still building for me, as it builds some Chromium implementation.

@nh2
Copy link
Contributor Author

nh2 commented May 3, 2019

@GrahamcOfBorg build libvpx

@dtzWill
Copy link
Contributor

dtzWill commented May 3, 2019

Firefox-based projects* will need some attention: https://bugzilla.mozilla.org/show_bug.cgi?id=1525393

I think simplest solution for this would be to (temporarily?) let them use the vendored versions, removing it as a dependency and dropping --with-system-libvpx.

Would be nice to upgrade it there as well, though...

@dtzWill
Copy link
Contributor

dtzWill commented May 4, 2019

May be incomplete, but this fixes the worst of the breakage: 968c903

@FRidh
Copy link
Member

FRidh commented Nov 24, 2019

What's the status of this PR?

@nh2
Copy link
Contributor Author

nh2 commented Nov 24, 2019

The Firefox bug is still open, which means they can't handle libvpx 1.8.0.

Should we go ahead with @dtzWill's approach of making Firefox use its vendored libvpx instead of the nixpkgs provided one?

He said

fixes the worst of the breakage

so I am not sure what the non-worst of it is :)

@risicle
Copy link
Contributor

risicle commented Nov 30, 2019

Could someone add the security label to this PR?

https://nvd.nist.gov/vuln/detail/CVE-2019-9232
https://nvd.nist.gov/vuln/detail/CVE-2019-9325
https://nvd.nist.gov/vuln/detail/CVE-2019-9433
https://nvd.nist.gov/vuln/detail/CVE-2019-9371

Though the last of them actually seems to be more of a libwebm issue.

Would probably be best to bump this to 1.8.1 too.

@nh2
Copy link
Contributor Author

nh2 commented Nov 30, 2019

Could someone add the security label to this PR?

Done.

Chasing the links to https://usn.ubuntu.com/4199-1/:

libvpx did not properly handle certain malformed WebM media files. If an application using libvpx opened a specially crafted WebM file, a remote attacker could cause a denial of service, or possibly execute arbitrary code.

@nh2 nh2 force-pushed the nh2:libvpx-1.8.0 branch from 6aad412 to 3a87c8c Nov 30, 2019
@nh2
Copy link
Contributor Author

nh2 commented Nov 30, 2019

@risicle
Copy link
Contributor

risicle commented Nov 30, 2019

I'm looking at the backport now...

@nh2
Copy link
Contributor Author

nh2 commented Nov 30, 2019

Is it clear whether there is a released version with the fix, or do distros only apply patches so far?

@risicle
Copy link
Contributor

risicle commented Nov 30, 2019

Patches. I'm looking to nab the backports from debian 1.7.0-3+deb10u1.

@nh2 nh2 force-pushed the nh2:libvpx-1.8.0 branch from 3a87c8c to fea9df9 Nov 30, 2019
@nh2
Copy link
Contributor Author

nh2 commented Nov 30, 2019

I've force-pushed a change that switches to 1.8.1 instead of 1.8.0 to this PR (branch still keeps the name so we can continue to use this PR).

@GrahamcOfBorg build

@nh2 nh2 changed the title libvpx: 1.7.0 -> 1.8.0 libvpx: 1.7.0 -> 1.8.1 Nov 30, 2019
@nh2
Copy link
Contributor Author

nh2 commented Dec 1, 2019

Is it clear whether there is a released version with the fix, or do distros only apply patches so far?

Patches.

No I meant a current version, independent of the backport.

I'm collecting it here:

CVE Debian patch upstream commit in upstream release
CVE-2019-9232 https://salsa.debian.org/multimedia-team/libvpx/blob/7d60c930a4c3ab89fca0951136926c8107803797/debian/patches/CVE-2019-9232.patch webmproject/libvpx@46e17f0 - Fix OOB memory access on fuzzed data v1.8.0
CVE-2019-9325 https://security-tracker.debian.org/tracker/CVE-2019-9325 says it's fixed by the commit in the next cell webmproject/libvpx@0681cff - vp9: fix OOB read in decoder_peek_si_internal v1.8.0
CVE-2019-9433 https://salsa.debian.org/multimedia-team/libvpx/blob/7d60c930a4c3ab89fca0951136926c8107803797/debian/patches/CVE-2019-9433.patch -- https://security-tracker.debian.org/tracker/CVE-2019-9433 says it's fixed by the commit in the next cell webmproject/libvpx@52add58 - VP8: Fix use-after-free in postproc v1.8.0
CVE-2019-9371 https://security-tracker.debian.org/tracker/CVE-2019-9371 says it's fixed by the two commits in the next cell webmproject/libvpx@34d54b0 - update libwebm to libwebm-1.0.0.27-358-gdbf1d10 and webmproject/libvpx@f00890e - update libwebm to libwebm-1.0.0.27-352-g6ab9fcf v1.8.1

Patches from https://github.com/NixOS/nixpkgs/pull/74751/files that I couldn't associate with which CVE they fix:

  • none any more, table complete
@FRidh FRidh added this to WIP in Staging Dec 1, 2019
@nh2
Copy link
Contributor Author

nh2 commented Dec 1, 2019

With the above table I have confirmed that all 4 CVEs are addressed by my proposed update to v1.8.1.

@FRidh
Copy link
Member

FRidh commented Dec 10, 2019

@nh2 "Firefox issue" still needs to be done before this can go in?

@nh2
Copy link
Contributor Author

nh2 commented Dec 10, 2019

@nh2 "Firefox issue" still needs to be done before this can go in?

@FRidh Unfortunately I can't tell, @dtzWill knows much more about that than me.

@nh2
Copy link
Contributor Author

nh2 commented Jan 20, 2020

There is no progress on the Firefox bug tracker.

@risicle Could you make your PR #74751 that adds patches for the CVEs also to nixpkgs staging?

Currently master has them unfixed.

Then we could also remove the security label here.

@nh2
Copy link
Contributor Author

nh2 commented Jan 21, 2020

@risicle Thanks, merged!

Now we can remove the security label here.

@FRidh
Copy link
Member

FRidh commented Feb 16, 2020

I suppose this update should still go in?

@nh2
Copy link
Contributor Author

nh2 commented Feb 16, 2020

I suppose this update should still go in?

Yes, but until Firefox is compatible with it, we can't do it (linked upstream Firefox issue).

Or we let Firefox use its vendored libvpx.

@dtzWill Could you have a look at my question up at #60826 (comment) ?

@alyssais
Copy link
Member

alyssais commented Mar 14, 2020

Firefox bug is closed now.

@andir
Copy link
Member

andir commented Apr 6, 2020

Firefox75 (released tomorrow…) seems to require a newer libvpx. There has been a release of version 1.8.2 in the mean time. The build currently fails with our current libvpx version. I am trying to build (esr &non-esr) Firefox against 1.8.2 now...

@andir andir mentioned this pull request Apr 7, 2020
4 of 4 tasks complete
@drewrisinger
Copy link
Contributor

drewrisinger commented May 4, 2020

libvpx 1.8.2 was included in #84584, which supersedes this PR & makes it irrelevant. Only thing this PR does different is make the default libvpx == 1.8, whereas #84584 adds 1.8 as an option for using in firefox. Closing. Reopen if disagree.

Staging automation moved this from WIP to Done May 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Staging
  
Done
Linked issues

Successfully merging this pull request may close these issues.

None yet

7 participants
You can’t perform that action at this time.