| Summary: | <media-libs/libvpx-1.5.0: remote code execution via crafted media file (CVE-2016-1621) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | chromium, kensington, media-video, phmagic |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1318185 | ||
| Whiteboard: | A2 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 585350 | ||
| Bug Blocks: | |||
libvpx < 1.4.0 does not have libwebm libvpx-1.4.0, diff from their mkvparser.cpp and android's libvpx from the link above is these two commits: https://github.com/webmproject/libwebm/commit/568504e64e496e82a8c382ccbe752630c6a77987 https://github.com/webmproject/libwebm/commit/568504e64e496e82a8c382ccbe752630c6a77987 libvpx-1.5.0 has a much more recent libwebm the report is definitely not clear; I'm not sure if the above 2 commits are related or if libvpx 1.4.0 is fine anyway, severity isn't so high: libwebm is only used for vpxdec & vpxenc in libvpx; those are the examples programs that are barely used: they read/write vpx files and write/read raw videos from the disk CVE-2016-1621 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1621): libvpx in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.0 before 2016-03-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, related to libwebm/mkvparser.cpp and other files, aka internal bug 23452792. =media-libs/libvpx-1.4.0 is definitely affected. =media-libs/libvpx-1.5.0 is the first version containing the fixes. Stabilisation was completed in bug #585350 and I've now removed vulnerable. Arches, Thank you for your work. New GLSA Request filed. glsa release as part of - https://security.gentoo.org/glsa/201603-09 |
From ${URL} : A vulnerability was found in libvpx. A maliciously crafted media file allows remote attackers to execute arbitrary code or cause a denial of service. Upstream fix: https://android.googlesource.com/platform/external/libvpx/+/04839626ed859623901ebd3a5fd483982186b59d%5E!/#F1 References: http://lwn.net/Vulnerabilities/680036/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.