PSA regarding CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx

240 views
Skip to first unread message

Björn Terelius

unread,
Oct 13, 2023, 11:22:51 AM10/13/23
to discuss-webrtc

WebRTC depends on libvpx for the implementation of the VP8 and VP9 video codecs. The fix for CVE-2023-5217 was imported into WebRTC on Sept 28th and is included in WebRTC branch https://webrtc.googlesource.com/src/+log/branch-heads/6045. Due to the way in which webrtc uses libvpx, we believe that standalone webrtc isn’t directly affected by this vulnerability, but we nevertheless recommend upgrading to a recent version of the library. 



Some general comments on how dependencies are handled in WebRTC:

The WebRTC DEPS file pins dependencies (including libvpx) to specific revisions, e.g.

https://source.chromium.org/chromium/chromium/src/+/main:third_party/webrtc/DEPS;l=300;drc=08d6197b9e44814bd719d1597eb31c1deb2b7068
The DEPS file is automatically updated to the same revisions that are used in chromium. Usually this happens several times per day, but if manual intervention is needed because a chromium change would break webrtc, it may take a few days.
When a developer runs `gclient sync`, the revisions from the local DEPS file will be downloaded into the local checkout and used by subsequent builds. Thus, if you
`git pull && gclient sync`
your webrtc checkout somewhat regularly, you'll stay up to date with chromium.

Roman Morgenstern

unread,
Oct 16, 2023, 3:06:21 AM10/16/23
to discuss-webrtc
Hi Björn Terelius

Thanks for update. 

How can I change DEPS manually on my local sources so I can build an old WEBRTC release ( say M99, using v1.12.0 ) with a new  libvpx ?

Sincerely 
Roman. 

Roman Morgenstern

unread,
Oct 16, 2023, 3:06:28 AM10/16/23
to discuss-webrtc
Hi Björn

thank you for an update. 

how can I change it manually to build with a new version of  libvpx for older  webrtc release (say for M99 release using  libvpx v1.12.0)

Sincerely 
Roman. 

On Friday, October 13, 2023 at 6:22:51 PM UTC+3 Björn Terelius wrote:

Harald Alvestrand

unread,
Oct 16, 2023, 3:28:08 AM10/16/23
to discuss...@googlegroups.com
The same way that you use for any other local modification should work: Make a fork in your local repo, change DEPS, run gclient sync, check that the right version of libvpx is fetched, and compile.

--
This list falls under the WebRTC Code of Conduct - https://webrtc.org/support/code-of-conduct.
---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/6ed18a19-05ae-49b8-9df8-230a2e11bcb9n%40googlegroups.com.

Philipp Hancke

unread,
Oct 16, 2023, 5:28:01 AM10/16/23
to discuss...@googlegroups.com
Grabbing the libvpx commit hash from the backmerge to M116
is probably the way to go.

To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/CAOqqYVG1mm_Ys%3DkG03xVgWr6uV6mULZNzNk7r%2BJE17UgHAPn6w%40mail.gmail.com.

Björn Terelius

unread,
Oct 16, 2023, 9:15:37 AM10/16/23
to discuss-webrtc
Please note that the chromium bug is not yet public.

Roman Morgenstern

unread,
Oct 17, 2023, 2:43:51 AM10/17/23
to discuss-webrtc
Hi Harald 

thank you for a suggestion. 
I have tried to follow it for a specific branch:

Updated DEPS file 

then run in CLI

webrtc@mobl:~/webrtcandroid/src$  git checkout branch-heads/4844
webrtc@mobl:~/webrtcandroid/src$ gclient sync -D -r branch-heads/4844
Updating depot_tools...
Syncing projects: 100% ( 1/ 1) src
src (ERROR)
----------------------------------------
[0:00:00] Started.
[0:00:00] Finished running: git config remote.origin.url
[0:00:00] Finished running: git rev-list -n 1 HEAD
[0:00:00] Finished running: git rev-parse --abbrev-ref=strict HEAD
----------------------------------------
Error: 1>
1> ____ src at refs/remotes/branch-heads/4844
1>      You have unstaged changes.
1>      cd into src, run git status to see changes,
1>      and commit, stash, or reset.

it seems I probably could not change DEPS and request a sync at the same time ....

Sincerely 
Roman.

Björn Terelius

unread,
Oct 17, 2023, 3:38:51 AM10/17/23
to discuss-webrtc
There's no guarantee that an old webrtc will compile with new dependencies or vice versa.
However, this looks like a a problem with the commands you used (Probably the -r part.)
Try:
 
git checkout <hash/branch>
git checkout -b my-local-branch
<edit DEPS>
git status
<check that only DEPS is modified>
git commit -am "Update DEPS"
gclient sync

In general, I'd recommend updating webrtc instead of patching only the libvpx dependency.

Roman Morgenstern

unread,
Oct 22, 2023, 10:17:28 AM10/22/23
to discuss...@googlegroups.com
Hi Björn,

Thank you for the detailed instructions. I followed them, and as you anticipated, it did not compile.

The issue arises because the procedure you described checks out the source code for libvpx located at third_party\libvpx\source\libvpx. However, it doesn't address the overarching code inside third_party\libvpx. Moreover, the main branch of WebRTC modifies many files inside third_party\libvpx\source\libvpx. This code is managed by the git of the entire third_party directory, so I can't checkout only third_party\libvpx.

My workaround was to check out the latest version of WebRTC with the patched libvpx. I copied the entire third_party\libvpx directory as is. Then, I returned to my branch (branch-heads/4844, which is M99) and replaced its third_party\libvpx with the updated version.

I compiled it using

tools_webrtc/android/build_aar.py --arch armeabi-v7a arm64-v8a --build-dir=build_dir --extra-gn-args android32_ndk_api_level=21

The only minor change I had to make was to disable the dependency from //third_party/cpu_features:ndk_compat:
if (is_android) {
    # deps += [ "//third_party/cpu_features:ndk_compat" ]
}
inside src/third_party/libvpx/BUILD.gn.

I hope this change is indeed minor.

I attempted to optimize the procedure using the directive rtc_libvpx_dir = "//third_party/libvpx" inside src/webrtc.gni, but it was not effective.

To summarize, the procedure to bring the patched version of libvpx to M99 (branch-heads/4844) was:

* Get the latest patched version of WebRTC.
* Copy //third_party/libvpx to a temporary folder //tmp/libvpx.
* Remove .git from //tmp/libvpx (as it would prevent copying back).
* Checkout and gclient sync for branch-heads/4844.
* Replace //third_party/libvpx with //tmp/libvpx.
* Update src/third_party/libvpx/BUILD.gn to exclude deps += [ "//third_party/cpu_features:ndk_compat" ].
* Compile.

I would appreciate any feedback or suggestions for improving the procedure. I hope this can assist with patching older WebRTC versions other than M99.

Unfortunately, we are currently committed to M99. After the switch to the dcSCTP library, the WebRTC data channel is twice as slow as before. This isn't solely due to the 11547 - High DataChannel.send() timing - webrtc (chromium.org)

Sincerely 
Roman 

You received this message because you are subscribed to a topic in the Google Groups "discuss-webrtc" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/discuss-webrtc/ZWZcVOAq7ws/unsubscribe.
To unsubscribe from this group and all its topics, send an email to discuss-webrt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/71e0552a-6cb2-4598-91c5-d20c21bac8fen%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages