MP3 Backend of Firefox and Thunderbird Found Vulnerable 60
jones_supa writes A critical vulnerability has been found in the MPEG-1 Layer III playback backend of Mozilla Firefox and Thunderbird. Security researcher Aki Helin reported a use-after-free scenario when playing certain audio files on the web using the Fluendo MP3 plugin for GStreamer on Linux. This is due to a flaw in handling certain MP3 files by the plugin and its interaction with Mozilla code. A maliciously crafted MP3 file can lead to a potentially exploitable crash. Linux is the only affected platform, so Windows and OS X users are safe from this particular vulnerability.
Watch what you listen (Score:5, Funny)
a use-after-free scenario when playing certain audio files (...) can lead to a potentially exploitable crash
It has been reported that the crash always happen when playing J.Bieber stuff.
In a Plugin! (Score:1)
It's not really a Firefox / Thunderbird issue if a plugin causes it.
There's tons of plugins out there and in general they aren't of the same quality as Firefox itself. So nothing to see here.
Re: (Score:2)
not really if the plugin is used incorrectly.
like the plugin is used after it's memory is freed.
headline omits keywords: LINUX ONLY (Score:2)
Linux is the only affected platform, so Windows and OS X users are safe from this particular vulnerability.
The fact that this is Linux only and not Windows or OS X really should be in the headline! Although I use Linux, this key element makes the news about 21% as important. (Write me back and I will explain the complex equation by which I arrived at that figure.) ;-)
Re: (Score:2)
Bollocks
VLC Player is *the main solution*, and doesn't fall foul of this vulnerability,
Your system is only as good as the weakest software you install.
Re: (Score:2)
'It's not a windows issue if a program/driver/etc causes it to crash'
Hmmmm nope.
Re: (Score:2)
Then why do people blame Windows when it's a Flash/Java issue?
Re: (Score:3)
We would be writing everything in LISP if it wasn't for RMS.
Re: (Score:2)
The death of Symbolics was in some ways the catalyst to the death of the AI industry and LISP in general. Although the company was (very) badly managed, RMS is responsible for a lot of the infighting and political grandstanding that basically killed the company. With the death of Symbolics and the consequent poison-pill of coding politics, programming in LISP just became unprofitable and eventually died out. Granted there are many other factors, but this was one of them.
I invite you to read the history of
Re: (Score:1)
Or use a language like Rust [rust-lang.org] which aims for memory safety without garbage collection. Servo [github.com] is implemented in Rust.
Re: Garbage collectors help (Score:1)
You've linked to two highly experimental and nearly unusable projects. Have you actually tried Servo? It doesn't even have a usable UI, for crying out loud! Rust still hasn't had a stable release, either. We were told that Rust 1.0 would be out before the end of 2014. When that failed to happen, the date then became May 2015. I don't have much faith in them meeting that deadline. Don't waste our time with these halfassed efforts, please.
Re: (Score:2)
Or use C++ smart pointers with a reasonable style guide, enforced by code review. So much for those use-after-free errors.
Re: (Score:2)
I guess you don't write real-time applications where garbage collection at the wrong time can be very bad.
Royalty-free codecs help here (Score:2, Insightful)
This is why it's important to have royalty-free codecs for the web that everyone is free to implement. You can choose to do your own implementation of a given codec and take direct responsibility for the security of the implementation, or ship your preferred choice of third-party implementation directly integrated with your product without any patent licensing hassle. I just hope Opus [opus-codec.org] audio and NetVC [tomshardware.com] video become ubiquitous sooner rather than later.
Re:Royalty-free codecs help here (Score:5, Insightful)
This is why it's important to have royalty-free codecs for the web that everyone is free to implement. You can choose to do your own implementation of a given codec and take direct responsibility for the security of the implementation, or ship your preferred choice of third-party implementation directly integrated with your product without any patent licensing hassle. I just hope Opus [opus-codec.org] audio and NetVC [tomshardware.com] video become ubiquitous sooner rather than later.
Lame, lame, lame. This is a bug. The same bug could happen with any codec. And as proven by OpenSSL, just because people _can_ look at code and find bugs, that doesn't mean they _do_ look at the code and find bugs.
Re: (Score:1)
This is a bug. The same bug could happen with any codec
We're not talking about codecs as much as we're talking about implementations and what you're free to ship without a patent license. If a codec is implemented in, say, Rust [rust-lang.org], then a whole class of security problems are mitigated by the design of the language. You can implement an MP3 decoder in Rust right now, but someone has to pay the patent licensing in order to ship it, which is antithetical to the goals of many software projects and frankly to the Web in general.
Re: (Score:2)
You can implement an MP3 decoder in Rust right now, but someone has to pay the patent licensing in order to ship it, which is antithetical to the goals of many software projects and frankly to the Web in general.
Go for it. The playback patents expire later this year - by time you're ready to ship, it'll be free of government imposition.
The encoding patents are a bit more nebulously defined - depends on who you ask and where you live.
Re: (Score:1)
Re: (Score:1)
Re: (Score:3)
This is why it's important to have royalty-free codecs for the web that everyone is free to implement. (...) I just hope Opus audio and NetVC video become ubiquitous sooner rather than later.
At least for Opus it's probably already too late, in two-three years MP3 and AAC will be patent-free, the relevant dates seem to be respectively 16.04.2017 and 14.02.2018 so by the time Opus goes mainstream patents won't matter. That war was fought and lost sometime around Ogg Vorbis. Even if they are slightly inferior to Opus in compression they have almost universal hardware and software support and just giving them a little more bit rate negates the quality difference. A mainstream patent free video code
Re: (Score:2, Informative)
apt-get purge gstreamer1.0-fluendo-mp3
Ubuntu also asks during installation if you want Fluendo or not.
A closed-source component is responsible for this (Score:1, Troll)
Re:A closed-source component is responsible for th (Score:4, Funny)
But only on an open source operating system, in an open source browser.
I guess the quality of software written for closed source operating systems and browsers is just better.
So it affects like 2 users? (Score:1)
I best get removing the guilty parties.
Personally, I blame systemd for this.
If we weren't all either bitching about systemd on the web, or fixing systemd's failings, someone might have got this earlier.
Critical? (Score:2)
Known crash since 2014 (Score:1)
This is actually a little less malicious than you'd think. Firefox has been known to crash when attempting to play HTML5 audio directly to your operating system's media handling framework. [mozilla.org] You can turn it off and go back to default behavior by going to about:config and turning off media.gstreamer.* or media.windows-media-foundation.*