Bug#769716: iceweasel: downloads Cisco's OpenH264 video codec
On Fri, 2014-12-05 at 19:17 +0100, Andrey Gursky wrote: b) everyone knows what's actually contained in that binary blob, since it's built from open source code, and the build is (supposed to be) reproductible. Yes, supposed to be: there are ongoing efforts to allow reproducible builds which will then allow verification of the blob. [1] Even if it was reproducible (and I didn't manage to),... it wouldn't really help afterwards, once a system would have been compromised an attacker could have wiped all his traces. I still think it's quite problematic that this slipped through, but even more problematic is IMHO the position of Mozilla which clearly had said goodbye to some important principles of FLOSS and freedom of users. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#769716: iceweasel: downloads Cisco's OpenH264 video codec
Hi Mike. From: Mike Hommey m...@glandium.org b) everyone knows what's actually contained in that binary blob, since it's built from open source code, and the build is (supposed to be) reproductible. Yes, supposed to be: there are ongoing efforts to allow reproducible builds which will then allow verification of the blob. [1] c) the binary blob is verified against a sha256 checksum downloaded from a mozilla server through HTTPS with certificate pinning. Googling on libgmpopenh264.so sha256 delivers no url to download this blob and maybe even it's configure/build options and dependencies. Googling on libgmpopenh264.so chksum results in this bug report. Looking further, I've found some relevant url infos: /usr/share/iceweasel/browser/defaults/preferences/firefox.js:pref(media.gmp-manager.url, https://aus4.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml;); But it's still not really helpful. While cisco blobs are clearly available [2], Mozilla seems to be not transparent in this issue. A binary from cisco: -rw-r--r-- 1 andrey andrey 1040584 Aug 8 06:29 libopenh264-1.1.0-linux64.so and one from Mozilla: (~/.mozilla/firefox/*/gmp-gmpopenh264/1.1/) -rwxr-xr-x 1 andrey andrey 1030172 Sep 2 22:27 libgmpopenh264.so They are obviously different. If I understood correctly, the problem was in patent fees. Cisco published a binary blob, which all could use without paying these fees, but it wouldn't be really interesting. That's why they published source code for it. Now Mozilla can include the blob and be almost sure (for now) that it's really built from this source code. But now I see Mozilla makes it's own builds? Or cisco made some not public builds for Mozilla? Regards, Andrey [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1100304#c9 [2] https://github.com/cisco/openh264/blob/master/RELEASES P.S. I'm happy openh264 is there at Debian experimental and I've enabled it after update to iceweasel 34, just like to clarify it's origins. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#769716: iceweasel: downloads Cisco's OpenH264 video codec
Mike Hommey said: a) it's not in any release of Debian, and it's not in any upcoming release of Debian either. It's in a package from experimental. I had no idea I was running experimental packages on a machine with wheezy and a few wheezy-backports (openssh-server and debian-security-support). I followed the directions at http://mozilla.debian.net/: Add to sources.list: deb http://mozilla.debian.net/ wheezy-backports iceweasel-release $ apt-get update $ apt-get install -t wheezy-backports iceweasel So I have iceweasel 33.1-1~bpo70+1 installed. And this confirms the binary blob. $ ls -l ~/.mozilla/firefox/*/gmp-gmpopenh264/1.1 total 1000 -rw-r--r-- 1 cp cp 114 Sep 2 16:36 gmpopenh264.info -rwxr-xr-x 1 cp cp 1018138 Sep 2 16:37 libgmpopenh264.so b) everyone knows what's actually contained in that binary blob, since it's built from open source code, and the build is (supposed to be) reproductible. I'll assume you meant s/knows/can confirm/ because I certainly don't know. So it's not as bad as you make it sound. That's good to know! However I think many of us would be more comfortable if the Debian systems built the source. http://www.openh264.org/faq.html explains that In order for Cisco to be responsible for the MPEG LA licensing royalties for the module, Cisco must provide the packaging and distribution of this code in a binary module format (think of it like a plug-in, but not using the same APIs as existing plugins), in addition to several other constraints. http://www.mpegla.com/main/programs/M2/Pages/Agreement.aspx says the license fee would be $2.00 per unit. http://www.mpegla.com/main/programs/M2/Pages/Agreement.aspx also says: License Term Coverage is from June 1, 1994 through the expiration of the MPEG-2 Patent Portfolio Patents and may be voluntarily terminated by the Licensee after December 31, 2015 (Sections 6.1 and 6.4). If what I am reading is correct, unless someone gets a MPEG LA License that allows Debian to distribute the source and binaries we may not see it until 2016 or perhaps later... According to https://en.wikipedia.org/wiki/Term_of_patent#United_States the patent term is over, so how is it more than 20 years and why can't Debian distribute it now, ie. after June 1, 2014? Chuck -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#769716: iceweasel: downloads Cisco's OpenH264 video codec
On Sat, 2014-11-29 at 08:26 +, Chuck Peters wrote: That's good to know! However I think many of us would be more comfortable if the Debian systems built the source. Not sure whether this is so easy due to the patent issues. It seems the license where the patent costs are paid by Cisco for everyone only cover the blob. OTOH, Debian already distributes many binary packages which likely include stuff covered by patents (e.g. all other h264 codecs) and I guess we silently assume that users will have to pay any license fees on their own. So we could do so the same here. The main problem in this whole case (apart form blobs / proprietary software slipping unnoted into Debian) seems Mozilla's politics, which more and more says goodbye to the values of FLOSS. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#769716: iceweasel: downloads Cisco's OpenH264 video codec
Hey Mike. On Fri, 2014-11-28 at 00:44 +0900, Mike Hommey wrote: a) it's not in any release of Debian, and it's not in any upcoming release of Debian either. It's in a package from experimental. Well but you know that a lot of people actually run unstable as their normal suite and many of them pull in iceweasel from experimental, just as you guys suggest here http://mozilla.debian.net/ Since these versions are usually up to date with what Mozilla ships, there's also not that big problem with the missing security support in experimental. b) everyone knows what's actually contained in that binary blob, since it's built from open source code, and the build is (supposed to be) reproductible. Well but since the blob is still fetched from cisco, they could simply replace it for certain users, and once you're hacked there's basically no way to tell whether you had a good version or not. c) the binary blob is verified against a sha256 checksum downloaded from a mozilla server through HTTPS with certificate pinning. Ah,.. I was actually looking for that in the code for something like that, but couldn't find it a the place where the download apparently happens - but I only had a very short glance on it. Could you perhaps please elaborate a bit more on how that actually works: - the checksum over the binary download is stored on a mozilla server? - downloaded via https? (at that point, the way of verifying should in principle also protect against downgrade attacks, as SSL/TLS should protect against replaying... BUT this alone doesn't protect against blocking attacks) - and you say certificate pinning? since that could mean a lot, what exactly? Is there a hardcoded cert known to be controlled by Mozilla? Is there a hardcoded CA from the Mozilla CA bundle (which would then in principle still allow that CA to issue a forged cert to someone else)? Or is it pinning in the sense of HSTS, i.e. pinning of any cert (from any trusted CA - even CNNIC) on the first access (which is quite insecure IMHO)? - has someone really checked that reproducibility? So it's not as bad as you make it sound. Well,.. admittedly, when you say that there *is* some hash sum verification (which I just didn't find)... then it's less worse as I've though. Nevertheless, it's still at least remotely possible that this could have been used to compromise systems, and even if there aren't masses who run at experimental, these people are probably still unhappy about that chance. If the bug would have been set to a higher severity, then people with apt-listbugs would have at least noticed it :-( And it's not going to stay that way anyways. It's really good we have the Iceweasel fork for things like these. Actually I'd also like to see that in Debian we remove certain trusted CAs, which are basically never used on the web and which are clearly untrustworthy. Can't you make a quit release where the codec is disabled, or at least fresh downloading of it? What will be the policy in Debian when Mozilla adds more and more proprietary/binary stuff to FF? Like e.g. the Adobe DRM stuff. Is that going to be removed from the beginning or will I have to take care that I don't accidentally get DRM-root-kitted with one of the first iceweasel-experimental releases? Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#769716: iceweasel: downloads Cisco's OpenH264 video codec
tags 769716 + security tags 769716 grave stop Wow... I've just stumbled over this by accident and this is really extremely outrageous. Adding security tag and raising severity to grave, since no one know what's actually contained in that binary blob, one must basically assume it's an security breach that tries to install a root-kit. And access to a normal user is usually equal to access to root on desktop systems - therefore the severity should actually be critical. It's really highly disturbing that something like this could slip into Debian, potentially compromising countless of systems. And it once more proves the points I've brought up several times on debian-devel, that we have some severe problems about downloader packages and software that circumvents the package management system. Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#769716: iceweasel: downloads Cisco's OpenH264 video codec
On Thu, Nov 27, 2014 at 03:54:24PM +0100, Christoph Anton Mitterer wrote: tags 769716 + security tags 769716 grave stop Wow... I've just stumbled over this by accident and this is really extremely outrageous. Adding security tag and raising severity to grave, since no one know what's actually contained in that binary blob, one must basically assume it's an security breach that tries to install a root-kit. And access to a normal user is usually equal to access to root on desktop systems - therefore the severity should actually be critical. It's really highly disturbing that something like this could slip into Debian, potentially compromising countless of systems. And it once more proves the points I've brought up several times on debian-devel, that we have some severe problems about downloader packages and software that circumvents the package management system. a) it's not in any release of Debian, and it's not in any upcoming release of Debian either. It's in a package from experimental. b) everyone knows what's actually contained in that binary blob, since it's built from open source code, and the build is (supposed to be) reproductible. c) the binary blob is verified against a sha256 checksum downloaded from a mozilla server through HTTPS with certificate pinning. So it's not as bad as you make it sound. And it's not going to stay that way anyways. Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#769716: iceweasel: downloads Cisco's OpenH264 video codec
Package: iceweasel Version: 33.1-1 Severity: serious Justification: Policy ยง2.2.1 On first start, Iceweasel downloads the OpenH264 Video Codec provided by Cisco Systems, Inc. plugin (which is a binary blob) and enables it automatically. This happens without asking the user for consent. Bug reports about the same problem in other distributions: https://bugzilla.redhat.com/show_bug.cgi?id=1155499 https://bugs.gentoo.org/show_bug.cgi?id=525810 -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org