Bug 701834 (CVE-2019-9232, CVE-2019-9325, CVE-2019-9371, CVE-2019-9433)

Summary:	<media-libs/libvpx-{1.7.0-r1,1.8.1}: multiple vulnerabilities (CVE-2019-{9232,9325,9433,9371})
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	chromium, media-video
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [glsa+ cve]
Package list:	media-libs/libvpx-1.7.0-r1	Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2019-12-02 23:11:50 UTC

CVE-2019-9232 (https://nvd.nist.gov/vuln/detail/CVE-2019-9232):
  In libvpx, there is a possible out of bounds read due to a missing bounds
  check. This could lead to remote information disclosure with no additional
  execution privileges needed. User interaction is not needed for
  exploitation. Product: AndroidVersions: Android-10Android ID: A-122675483

CVE-2019-9325 (https://nvd.nist.gov/vuln/detail/CVE-2019-9325):
  In libvpx, there is a possible out of bounds read due to a missing bounds
  check. This could lead to remote information disclosure with no additional
  execution privileges needed. User interaction is needed for exploitation.
  Product: AndroidVersions: Android-10Android ID: A-112001302

CVE-2019-9433 (https://nvd.nist.gov/vuln/detail/CVE-2019-9433):
  In libvpx, there is a possible information disclosure due to improper input
  validation. This could lead to remote information disclosure with no
  additional execution privileges needed. User interaction is needed for
  exploitation. Product: AndroidVersions: Android-10Android ID: A-80479354

CVE-2019-9371 (https://nvd.nist.gov/vuln/detail/CVE-2019-9371):
  In libvpx, there is a possible resource exhaustion due to improper input
  validation. This could lead to remote denial of service with no additional
  execution privileges needed. User interaction is needed for exploitation.
  Product: AndroidVersions: Android-10Android ID: A-132783254

Comment 1 Mike Gilbert gentoo-dev

2019-12-02 23:52:43 UTC

There is no information indicating what versions of libvpx are affected.

Comment 2 Larry the Git Cow gentoo-dev

2019-12-05 05:16:51 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73760c996a3562ec9d29db3cbab77b8ef8dcc230

commit 73760c996a3562ec9d29db3cbab77b8ef8dcc230
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-12-05 05:11:30 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-12-05 05:15:14 +0000

    media-libs/libvpx: bump to v1.8.1
    
    Bug: https://bugs.gentoo.org/701834
    Package-Manager: Portage-2.3.80, Repoman-2.3.19
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-libs/libvpx/Manifest            |   1 +
 media-libs/libvpx/libvpx-1.8.1.ebuild | 119 ++++++++++++++++++++++++++++++++++
 2 files changed, 120 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f64e1f924824033b61856a1c4a0162ab675a57a4

commit f64e1f924824033b61856a1c4a0162ab675a57a4
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-12-05 05:09:17 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-12-05 05:15:12 +0000

    media-libs/libvpx: security rev bump
    
    Bug: https://bugs.gentoo.org/701834
    Package-Manager: Portage-2.3.80, Repoman-2.3.19
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 ...libvpx-1.7.0-CVE-2019-9232_9325_9371_9433.patch | 211 +++++++++++++++++++++
 media-libs/libvpx/libvpx-1.7.0-r1.ebuild           | 131 +++++++++++++
 2 files changed, 342 insertions(+)

Comment 3 Agostino Sarubbo gentoo-dev

2019-12-05 08:38:46 UTC

amd64 stable

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2019-12-08 03:26:49 UTC

arm64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2019-12-09 08:00:19 UTC

sparc stable

Comment 6 Agostino Sarubbo gentoo-dev

2019-12-09 08:48:47 UTC

x86 stable

Comment 7 Agostino Sarubbo gentoo-dev

2019-12-09 12:10:21 UTC

ppc64 stable

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2019-12-09 18:39:31 UTC

ia64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2019-12-10 10:56:09 UTC

ppc stable

Comment 10 Mikle Kolyada (RETIRED) archtester

2019-12-24 15:06:26 UTC

arm stable

Comment 11 Larry the Git Cow gentoo-dev

2019-12-26 17:03:15 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0614c44475793213f4d21c8f5c8b84977a6a1956

commit 0614c44475793213f4d21c8f5c8b84977a6a1956
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-12-26 11:27:16 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-12-26 17:03:02 +0000

    media-libs/libvpx: security cleanup
    
    Bug: https://bugs.gentoo.org/701834
    Package-Manager: Portage-2.3.83, Repoman-2.3.20
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/14129
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-libs/libvpx/Manifest               |   7 --
 media-libs/libvpx/libvpx-1.5.0.ebuild    | 127 ------------------------------
 media-libs/libvpx/libvpx-1.6.0-r1.ebuild | 116 ---------------------------
 media-libs/libvpx/libvpx-1.6.1.ebuild    | 127 ------------------------------
 media-libs/libvpx/libvpx-1.7.0.ebuild    | 130 ------------------------------
 media-libs/libvpx/libvpx-1.8.0-r1.ebuild | 120 ----------------------------
 media-libs/libvpx/libvpx-1.8.0.ebuild    | 131 -------------------------------
 7 files changed, 758 deletions(-)

Comment 12 Sam James archtester

2020-03-24 00:13:17 UTC

Tree is clean.

Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-26 18:32:42 UTC

New GLSA request filed.

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2020-03-26 18:41:32 UTC

This issue was resolved and addressed in
 GLSA 202003-59 at https://security.gentoo.org/glsa/202003-59
by GLSA coordinator Thomas Deutschmann (whissi).