[Bug 1030675] New: Firefox downloads binary code without warning
http://bugzilla.opensuse.org/show_bug.cgi?id=1030675 Bug ID: 1030675 Summary: Firefox downloads binary code without warning Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Firefox Assignee: bnc-team-mozilla@forge.provo.novell.com Reporter: lnussel@suse.com QA Contact: qa-bugs@suse.de CC: ciaran.farrell@suse.com, security-team@suse.de Found By: --- Blocker: --- about:plugins lists "OpenH264 Video Codec provided by Cisco Systems, Inc." as shared library that is in the user's home directory. Description says "This plugin is automatically installed by Mozilla to comply with the WebRTC specification and to enable WebRTC calls with devices that require the H.264 video codec. Visit http://www.openh264.org/ to view the codec source code and learn more about the implementation." So the user ends up having binary code installed that was not built by the build service and not installed via package management. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1030675
http://bugzilla.opensuse.org/show_bug.cgi?id=1030675#c1
Wolfgang Rosenauer
http://bugzilla.opensuse.org/show_bug.cgi?id=1030675
http://bugzilla.opensuse.org/show_bug.cgi?id=1030675#c2
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=1030675
http://bugzilla.opensuse.org/show_bug.cgi?id=1030675#c3
--- Comment #3 from Ludwig Nussel
http://bugzilla.opensuse.org/show_bug.cgi?id=1030675
http://bugzilla.opensuse.org/show_bug.cgi?id=1030675#c4
--- Comment #4 from Wolfgang Rosenauer
Download URL used for this plugin: http://ciscobinary.openh264.org/openh264-linux64- 0410d336bb748149a4f560eb6108090f078254b1.zip
akamai CDN, no https.
I'm pretty sure there is a security check. Will verify.
No UI interaction, and binary content.
We would like the following: * No content downloaded without the user's permission or reasonable expectation
ok, need to see what is possible. If there is nothing prepared in FF to achieve that there is a bigger issue ahead of us.
* built from source in OBS, or it needs to go into :NonFree
Cisco can only grant the license in binary form is what I learned back then when it was introduced. Therefore it needs to be downloaded from Cisco. (Pretty similar to the nvidia thing). And cannot be shipped by mozilla.org and therefore not from us.
Some form of interaction or choice would be highly desirable.
understood -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1030675
http://bugzilla.opensuse.org/show_bug.cgi?id=1030675#c5
--- Comment #5 from Wolfgang Rosenauer
Is there any other form of verification or can anyone intercept and modify the download?
https://dxr.mozilla.org/mozilla-release/source/toolkit/content/gmp-sources/o... So I guess we can at least consider the download verification to be secure. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1030675
Ludwig Nussel
http://bugzilla.opensuse.org/show_bug.cgi?id=1030675
http://bugzilla.opensuse.org/show_bug.cgi?id=1030675#c9
Mircea Kitsune
participants (1)
-
bugzilla_noreply@novell.com