Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Firefox Mozilla Security Linux

MP3 Backend of Firefox and Thunderbird Found Vulnerable 60

jones_supa writes A critical vulnerability has been found in the MPEG-1 Layer III playback backend of Mozilla Firefox and Thunderbird. Security researcher Aki Helin reported a use-after-free scenario when playing certain audio files on the web using the Fluendo MP3 plugin for GStreamer on Linux. This is due to a flaw in handling certain MP3 files by the plugin and its interaction with Mozilla code. A maliciously crafted MP3 file can lead to a potentially exploitable crash. Linux is the only affected platform, so Windows and OS X users are safe from this particular vulnerability.
This discussion has been archived. No new comments can be posted.

MP3 Backend of Firefox and Thunderbird Found Vulnerable

Comments Filter:
  • by hcs_$reboot ( 1536101 ) on Thursday April 02, 2015 @03:06AM (#49390037)

    a use-after-free scenario when playing certain audio files (...) can lead to a potentially exploitable crash

    It has been reported that the crash always happen when playing J.Bieber stuff.

  • by Anonymous Coward

    It's not really a Firefox / Thunderbird issue if a plugin causes it.
    There's tons of plugins out there and in general they aren't of the same quality as Firefox itself. So nothing to see here.

    • by gl4ss ( 559668 )

      not really if the plugin is used incorrectly.

      like the plugin is used after it's memory is freed.

      • Linux is the only affected platform, so Windows and OS X users are safe from this particular vulnerability.

        The fact that this is Linux only and not Windows or OS X really should be in the headline! Although I use Linux, this key element makes the news about 21% as important. (Write me back and I will explain the complex equation by which I arrived at that figure.) ;-)

    • 'It's not a windows issue if a program/driver/etc causes it to crash'

      Hmmmm nope.

    • by SQLGuru ( 980662 )

      Then why do people blame Windows when it's a Flash/Java issue?

  • by Anonymous Coward

    This is why it's important to have royalty-free codecs for the web that everyone is free to implement. You can choose to do your own implementation of a given codec and take direct responsibility for the security of the implementation, or ship your preferred choice of third-party implementation directly integrated with your product without any patent licensing hassle. I just hope Opus [opus-codec.org] audio and NetVC [tomshardware.com] video become ubiquitous sooner rather than later.

    • by gnasher719 ( 869701 ) on Thursday April 02, 2015 @04:42AM (#49390247)

      This is why it's important to have royalty-free codecs for the web that everyone is free to implement. You can choose to do your own implementation of a given codec and take direct responsibility for the security of the implementation, or ship your preferred choice of third-party implementation directly integrated with your product without any patent licensing hassle. I just hope Opus [opus-codec.org] audio and NetVC [tomshardware.com] video become ubiquitous sooner rather than later.

      Lame, lame, lame. This is a bug. The same bug could happen with any codec. And as proven by OpenSSL, just because people _can_ look at code and find bugs, that doesn't mean they _do_ look at the code and find bugs.

      • by Anonymous Coward

        This is a bug. The same bug could happen with any codec

        We're not talking about codecs as much as we're talking about implementations and what you're free to ship without a patent license. If a codec is implemented in, say, Rust [rust-lang.org], then a whole class of security problems are mitigated by the design of the language. You can implement an MP3 decoder in Rust right now, but someone has to pay the patent licensing in order to ship it, which is antithetical to the goals of many software projects and frankly to the Web in general.

        • You can implement an MP3 decoder in Rust right now, but someone has to pay the patent licensing in order to ship it, which is antithetical to the goals of many software projects and frankly to the Web in general.

          Go for it. The playback patents expire later this year - by time you're ready to ship, it'll be free of government imposition.

          The encoding patents are a bit more nebulously defined - depends on who you ask and where you live.

      • _You_ try looking inside OpenSSL. It causes bad dreams.
    • And for all those people who use operating systems written by Microsoft or Apple: Why the f*** would they care whether a Codec is royalty free or not? Apple and Microsoft are paying the royalties. And they defend against patent trolls who suddenly start demanding billions of dollars for mp3 codecs (Motorola and Google, I'm looking at you).
    • by Kjella ( 173770 )

      This is why it's important to have royalty-free codecs for the web that everyone is free to implement. (...) I just hope Opus audio and NetVC video become ubiquitous sooner rather than later.

      At least for Opus it's probably already too late, in two-three years MP3 and AAC will be patent-free, the relevant dates seem to be respectively 16.04.2017 and 14.02.2018 so by the time Opus goes mainstream patents won't matter. That war was fought and lost sometime around Ogg Vorbis. Even if they are slightly inferior to Opus in compression they have almost universal hardware and software support and just giving them a little more bit rate negates the quality difference. A mainstream patent free video code

  • by Anonymous Coward

    I best get removing the guilty parties.

    Personally, I blame systemd for this.

    If we weren't all either bitching about systemd on the web, or fixing systemd's failings, someone might have got this earlier.

  • Any more that means the media have nothing else to scream about so trivial issues become "critical".
  • by Anonymous Coward

    This is actually a little less malicious than you'd think. Firefox has been known to crash when attempting to play HTML5 audio directly to your operating system's media handling framework. [mozilla.org] You can turn it off and go back to default behavior by going to about:config and turning off media.gstreamer.* or media.windows-media-foundation.*

Fast, cheap, good: pick two.

Working...