Summary: | <media-libs/libvpx-1.5.0: remote code execution via crafted media file (CVE-2016-1621) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | chromium, kensington, media-video, phmagic |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1318185 | ||
Whiteboard: | A2 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 585350 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2016-03-17 11:42:31 UTC
libvpx < 1.4.0 does not have libwebm libvpx-1.4.0, diff from their mkvparser.cpp and android's libvpx from the link above is these two commits: https://github.com/webmproject/libwebm/commit/568504e64e496e82a8c382ccbe752630c6a77987 https://github.com/webmproject/libwebm/commit/568504e64e496e82a8c382ccbe752630c6a77987 libvpx-1.5.0 has a much more recent libwebm the report is definitely not clear; I'm not sure if the above 2 commits are related or if libvpx 1.4.0 is fine anyway, severity isn't so high: libwebm is only used for vpxdec & vpxenc in libvpx; those are the examples programs that are barely used: they read/write vpx files and write/read raw videos from the disk CVE-2016-1621 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1621): libvpx in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.0 before 2016-03-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, related to libwebm/mkvparser.cpp and other files, aka internal bug 23452792. =media-libs/libvpx-1.4.0 is definitely affected. =media-libs/libvpx-1.5.0 is the first version containing the fixes. Stabilisation was completed in bug #585350 and I've now removed vulnerable. Arches, Thank you for your work. New GLSA Request filed. glsa release as part of - https://security.gentoo.org/glsa/201603-09 |