Update libFlac to the latest version (1.3.1)
Reported by
kushal89...@gmail.com,
May 8 2016
|
|||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36 Steps to reproduce the problem: 1. 2. 3. What is the expected behavior? What went wrong? VULNERABILITY DETAILS The libFlac copy that's bundled in the chromium source is currently at version 1.2.1 as seen here: - https://code.google.com/p/chromium/codesearch#chromium/src/third_party/flac/README&sq=package:chromium This version is vulnerable to Heap-Based Buffer overflow and Stack-Based Buffer Overflow as described on the libflac home page. See CVE-2014-9028 (http://www.securityfocus.com/bid/71282) & CVE-2014-8962 (http://www.securityfocus.com/bid/71280) libFlac should be updated to the latest version i.e. v1.3.1. Did this work before? N/A Chrome version: 50.0.2661.94 Channel: stable OS Version: OS X 10.11.4 Flash Version: Shockwave Flash 21.0 r0
,
May 9 2016
I only fixed a compiler warning there once, but sure :-) Taking a stab here: https://codereview.chromium.org/1961133002/ I still need to test that though. Both CVEs refer to the stream decoder, which I don't think Chromium ever uses (flac is used for encoding voice input sent to Google's speech recognition service). Can we remove Restrict-View-SecurityTeam?
,
May 9 2016
Google Play Music - a service offered by Google(available on Android, iOS & "Web") allows users to play a local ".flac" file stored on their system. The application(whilst being used on the PC Web and not iOS/Android apps) plays the file within the Chrome Browser itself and most probably makes use of the vulnerable "stream_decoder.c" file within the "libFlac" library considering it is the most apt library within Chromium for the said file type.
,
May 9 2016
The only code in Chromium using third_party/flac is the speech recognition code. I don't know how Play Music works. Last I heard, they were using Flash for playback. But we should fix this anyway, it's no good being stuck on an ancient version.
,
May 10 2016
Thanks hans for picking this up. I've removed the view restrictions.
,
May 10 2016
,
May 10 2016
P.S. Thank you to the original reporter for noticing this had gotten out of date.
,
May 10 2016
@hans, I completely agree with you, it isn't good to be stuck on an ancient version for long. @felt, Thank you for considering this report and for initiating the fix so quickly. PS: Any chance of a reward on this one like " Issue 560291 " reported earlier this year? Just trying out my luck..:)
,
May 10 2016
Based on comment 4 I'd say probably not, as it doesn't seem likely that these issues would be reachable in chrome. If you could provide a test case demonstrating that they could be exploited, we would certainly consider it for a reward. Thanks for the report either way, we do appreciate it.
,
May 10 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/607364754c497842182a9c776e492564689d8d4f commit 607364754c497842182a9c776e492564689d8d4f Author: hans <hans@chromium.org> Date: Tue May 10 20:11:26 2016 Roll flac 2c4b86af:2d224742 9fc1ca46 Update flac URL in README.chromium. 59c0c55a Update FLAC to 1.3.1 2d224742 README.chromium: restore the Name field BUG= 610125 Review-Url: https://codereview.chromium.org/1965553004 Cr-Commit-Position: refs/heads/master@{#392693} [modify] https://crrev.com/607364754c497842182a9c776e492564689d8d4f/DEPS
,
May 10 2016
,
May 10 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6e971665cbbc1d270560da93b3736bf9907ce88f commit 6e971665cbbc1d270560da93b3736bf9907ce88f Author: hans <hans@chromium.org> Date: Tue May 10 21:55:47 2016 Revert of Roll flac 2c4b86af:2d224742 (patchset #2 id:20001 of https://codereview.chromium.org/1965553004/ ) Reason for revert: Broke e.g. https://build.chromium.org/p/chromium.fyi/builders/CrWinClang/builds/8652/steps/compile/logs/stdio Reverting while investigating. Original issue's description: > Roll flac 2c4b86af:2d224742 > > 9fc1ca46 Update flac URL in README.chromium. > 59c0c55a Update FLAC to 1.3.1 > 2d224742 README.chromium: restore the Name field > > BUG= 610125 > > Committed: https://crrev.com/607364754c497842182a9c776e492564689d8d4f > Cr-Commit-Position: refs/heads/master@{#392693} TBR=felt@chromium.org,thakis@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG= 610125 Review-Url: https://codereview.chromium.org/1969573002 Cr-Commit-Position: refs/heads/master@{#392736} [modify] https://crrev.com/6e971665cbbc1d270560da93b3736bf9907ce88f/DEPS
,
May 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ddaa08c81fadf7df21cc9dcdb11d8cb95617386d commit ddaa08c81fadf7df21cc9dcdb11d8cb95617386d Author: hans <hans@chromium.org> Date: Wed May 11 01:19:36 2016 Roll flac 2c4b86af:812243a8 9fc1ca46 Update flac URL in README.chromium. 59c0c55a Update FLAC to 1.3.1 2d224742 README.chromium: restore the Name field 812243a8 Add missing extern declaration of inline function BUG= 610125 Review-Url: https://codereview.chromium.org/1968613003 Cr-Commit-Position: refs/heads/master@{#392806} [modify] https://crrev.com/ddaa08c81fadf7df21cc9dcdb11d8cb95617386d/DEPS |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by f...@chromium.org
, May 9 2016Status: Assigned (was: Unconfirmed)