Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 577606 (CVE-2016-1621)

Summary: <media-libs/libvpx-1.5.0: remote code execution via crafted media file (CVE-2016-1621)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: chromium, kensington, media-video, phmagic
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 585350    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2016-03-17 11:42:31 UTC
From ${URL} :

A vulnerability was found in libvpx. A maliciously crafted media file allows remote attackers to execute arbitrary code or cause a denial of service. 

Upstream fix:!/#F1


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alexis Ballier gentoo-dev 2016-03-17 21:11:27 UTC
libvpx < 1.4.0 does not have libwebm

libvpx-1.4.0, diff from their mkvparser.cpp and android's libvpx from the link above is these two commits:

libvpx-1.5.0 has a much more recent libwebm

the report is definitely not clear; I'm not sure if the above 2 commits are related or if libvpx 1.4.0 is fine

anyway, severity isn't so high: libwebm is only used for vpxdec & vpxenc in libvpx; those are the examples programs that are barely used: they read/write vpx files and write/read raw videos from the disk
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-03-22 06:14:07 UTC
CVE-2016-1621 (
  libvpx in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H,
  and 6.0 before 2016-03-01 allows remote attackers to execute arbitrary code
  or cause a denial of service (memory corruption) via a crafted media file,
  related to libwebm/mkvparser.cpp and other files, aka internal bug 23452792.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-21 16:05:00 UTC
=media-libs/libvpx-1.4.0 is definitely affected.

=media-libs/libvpx-1.5.0 is the first version containing the fixes.
Comment 4 Michael Palimaka (kensington) gentoo-dev 2017-03-12 23:27:50 UTC
Stabilisation was completed in bug #585350 and I've now removed vulnerable.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2017-04-19 05:26:38 UTC
Arches, Thank you for your work.

New GLSA Request filed.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2017-05-18 02:45:31 UTC
glsa release as part of -