[Bug 1030675] New: Firefox downloads binary code without warning

newer
[Bug 960875] MySQL server 5.7 from...

bugzilla_noreply＠novell.com

23 Mar 2017 23 Mar '17

12:29

http://bugzilla.opensuse.org/show_bug.cgi?id=1030675 Bug ID: 1030675 Summary: Firefox downloads binary code without warning Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Firefox Assignee: bnc-team-mozilla@forge.provo.novell.com Reporter: lnussel@suse.com QA Contact: qa-bugs@suse.de CC: ciaran.farrell@suse.com, security-team@suse.de Found By: --- Blocker: --- about:plugins lists "OpenH264 Video Codec provided by Cisco Systems, Inc." as shared library that is in the user's home directory. Description says "This plugin is automatically installed by Mozilla to comply with the WebRTC specification and to enable WebRTC calls with devices that require the H.264 video codec. Visit http://www.openh264.org/ to view the codec source code and learn more about the implementation." So the user ends up having binary code installed that was not built by the build service and not installed via package management. -- You are receiving this mail because: You are on the CC list for the bug.

Attachments:

attachment.htm (text/html — 2.8 KB)

Show replies by date

bugzilla_noreply＠novell.com

23 Mar 23 Mar

12:34

New subject: [Bug 1030675] Firefox downloads binary code without warning

http://bugzilla.opensuse.org/show_bug.cgi?id=1030675 http://bugzilla.opensuse.org/show_bug.cgi?id=1030675#c1 Wolfgang Rosenauer changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED CC| |wolfgang@rosenauer.org --- Comment #1 from Wolfgang Rosenauer --- I can confirm. How severe is that issue for us? I haven't seen any discussion and doubts from other Linux distributions about this. Also in addition: There is also the EME module "Widevine Content Decryption Module zur Verfügung gestellt von Google Inc." which is not even open source. But at least this one is downloaded on demand and only after confirmation from the user as far as I can tell. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12:59

New subject: [Bug 1030675] Firefox downloads binary code without warning

http://bugzilla.opensuse.org/show_bug.cgi?id=1030675 http://bugzilla.opensuse.org/show_bug.cgi?id=1030675#c2 Andreas Stieger changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |astieger@suse.com --- Comment #2 from Andreas Stieger --- We turned runtime binary downloading off for Chromium in bug 935022, so I would like to do the same with the next reasonable update. Download URL used for this plugin: http://ciscobinary.openh264.org/openh264-linux64-0410d336bb748149a4f560eb610... akamai CDN, no https. No UI interaction, and binary content. We would like the following: * No content downloaded without the user's permission or reasonable expectation * built from source in OBS, or it needs to go into :NonFree Some form of interaction or choice would be highly desirable. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13:18

New subject: [Bug 1030675] Firefox downloads binary code without warning

http://bugzilla.opensuse.org/show_bug.cgi?id=1030675 http://bugzilla.opensuse.org/show_bug.cgi?id=1030675#c3 --- Comment #3 from Ludwig Nussel --- Is there any other form of verification or can anyone intercept and modify the download? -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13:22

New subject: [Bug 1030675] Firefox downloads binary code without warning

http://bugzilla.opensuse.org/show_bug.cgi?id=1030675 http://bugzilla.opensuse.org/show_bug.cgi?id=1030675#c4 --- Comment #4 from Wolfgang Rosenauer --- (In reply to Andreas Stieger from comment #2)

...

Download URL used for this plugin: http://ciscobinary.openh264.org/openh264-linux64- 0410d336bb748149a4f560eb6108090f078254b1.zip

akamai CDN, no https.

I'm pretty sure there is a security check. Will verify.

...

No UI interaction, and binary content.

We would like the following: * No content downloaded without the user's permission or reasonable expectation

ok, need to see what is possible. If there is nothing prepared in FF to achieve that there is a bigger issue ahead of us.

...

* built from source in OBS, or it needs to go into :NonFree

Cisco can only grant the license in binary form is what I learned back then when it was introduced. Therefore it needs to be downloaded from Cisco. (Pretty similar to the nvidia thing). And cannot be shipped by mozilla.org and therefore not from us.

...

Some form of interaction or choice would be highly desirable.

understood -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13:30

New subject: [Bug 1030675] Firefox downloads binary code without warning

http://bugzilla.opensuse.org/show_bug.cgi?id=1030675 http://bugzilla.opensuse.org/show_bug.cgi?id=1030675#c5 --- Comment #5 from Wolfgang Rosenauer --- (In reply to Ludwig Nussel from comment #3)

...

Is there any other form of verification or can anyone intercept and modify the download?

https://dxr.mozilla.org/mozilla-release/source/toolkit/content/gmp-sources/o... So I guess we can at least consider the download verification to be secure. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

7 Jul 7 Jul

08:01

New subject: [Bug 1030675] Firefox downloads binary code without warning

http://bugzilla.opensuse.org/show_bug.cgi?id=1030675 Ludwig Nussel changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(lnussel@suse.com) |needinfo?(ciaran.farrell@su | |se.com) -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10 Jul 10 Jul

12:15

New subject: [Bug 1030675] Firefox downloads binary code without warning

http://bugzilla.opensuse.org/show_bug.cgi?id=1030675 http://bugzilla.opensuse.org/show_bug.cgi?id=1030675#c9 Mircea Kitsune changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sonichedgehog_hyperblast00@ | |yahoo.com --- Comment #9 from Mircea Kitsune --- Subscribing to this bug with much interest. I strongly believe this is a serious issue, which both openSUSE (through default settings and compilation parameters) and especially Mozilla (by disabling any such system by default) should fix! We use open-source software not just out of the philosophy of openness, but also because we want to be sure of what software runs on our machines... Linux users like myself even stick to the free video drivers for gaming. Web browsers randomly downloading and running proprietary software blobs is a huge deal! Who's to say that code to steal your private data and send it to a government or corporation won't be included into those blobs, with users lured onto video websites where they'll be asked to enable it to watch clips? DRM is evil for multiple reasons, and such a thing should be treated with much suspicion in an open software ecosystem. -- You are receiving this mail because: You are on the CC list for the bug.

2490

Age (days ago)

2599

Last active (days ago)

List overview

Download

7 comments

1 participants

participants (1)

bugzilla_noreply＠novell.com

[Bug 1030675] New: Firefox downloads binary code without warning

tags

participants (1)