From ${URL} : A vulnerability was found in libvpx. A maliciously crafted media file allows remote attackers to execute arbitrary code or cause a denial of service. Upstream fix: https://android.googlesource.com/platform/external/libvpx/+/04839626ed859623901ebd3a5fd483982186b59d%5E!/#F1 References: http://lwn.net/Vulnerabilities/680036/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
libvpx < 1.4.0 does not have libwebm libvpx-1.4.0, diff from their mkvparser.cpp and android's libvpx from the link above is these two commits: https://github.com/webmproject/libwebm/commit/568504e64e496e82a8c382ccbe752630c6a77987 https://github.com/webmproject/libwebm/commit/568504e64e496e82a8c382ccbe752630c6a77987 libvpx-1.5.0 has a much more recent libwebm the report is definitely not clear; I'm not sure if the above 2 commits are related or if libvpx 1.4.0 is fine anyway, severity isn't so high: libwebm is only used for vpxdec & vpxenc in libvpx; those are the examples programs that are barely used: they read/write vpx files and write/read raw videos from the disk
CVE-2016-1621 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1621): libvpx in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.0 before 2016-03-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, related to libwebm/mkvparser.cpp and other files, aka internal bug 23452792.
=media-libs/libvpx-1.4.0 is definitely affected. =media-libs/libvpx-1.5.0 is the first version containing the fixes.
Stabilisation was completed in bug #585350 and I've now removed vulnerable.
Arches, Thank you for your work. New GLSA Request filed.
glsa release as part of - https://security.gentoo.org/glsa/201603-09