Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 701834 (CVE-2019-9232, CVE-2019-9325, CVE-2019-9371, CVE-2019-9433)

Summary: <media-libs/libvpx-{1.7.0-r1,1.8.1}: multiple vulnerabilities (CVE-2019-{9232,9325,9433,9371})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: chromium, media-video
Priority: Normal Keywords: STABLEREQ
Version: unspecifiedFlags: stable-bot: sanity-check+
Hardware: All   
OS: Linux   
Whiteboard: B2 [stable]
Package list:
media-libs/libvpx-1.7.0-r1
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-02 23:11:50 UTC
CVE-2019-9232 (https://nvd.nist.gov/vuln/detail/CVE-2019-9232):
  In libvpx, there is a possible out of bounds read due to a missing bounds
  check. This could lead to remote information disclosure with no additional
  execution privileges needed. User interaction is not needed for
  exploitation. Product: AndroidVersions: Android-10Android ID: A-122675483

CVE-2019-9325 (https://nvd.nist.gov/vuln/detail/CVE-2019-9325):
  In libvpx, there is a possible out of bounds read due to a missing bounds
  check. This could lead to remote information disclosure with no additional
  execution privileges needed. User interaction is needed for exploitation.
  Product: AndroidVersions: Android-10Android ID: A-112001302

CVE-2019-9433 (https://nvd.nist.gov/vuln/detail/CVE-2019-9433):
  In libvpx, there is a possible information disclosure due to improper input
  validation. This could lead to remote information disclosure with no
  additional execution privileges needed. User interaction is needed for
  exploitation. Product: AndroidVersions: Android-10Android ID: A-80479354

CVE-2019-9371 (https://nvd.nist.gov/vuln/detail/CVE-2019-9371):
  In libvpx, there is a possible resource exhaustion due to improper input
  validation. This could lead to remote denial of service with no additional
  execution privileges needed. User interaction is needed for exploitation.
  Product: AndroidVersions: Android-10Android ID: A-132783254
Comment 1 Mike Gilbert gentoo-dev 2019-12-02 23:52:43 UTC
There is no information indicating what versions of libvpx are affected.
Comment 2 Larry the Git Cow gentoo-dev 2019-12-05 05:16:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73760c996a3562ec9d29db3cbab77b8ef8dcc230

commit 73760c996a3562ec9d29db3cbab77b8ef8dcc230
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-12-05 05:11:30 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-12-05 05:15:14 +0000

    media-libs/libvpx: bump to v1.8.1
    
    Bug: https://bugs.gentoo.org/701834
    Package-Manager: Portage-2.3.80, Repoman-2.3.19
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-libs/libvpx/Manifest            |   1 +
 media-libs/libvpx/libvpx-1.8.1.ebuild | 119 ++++++++++++++++++++++++++++++++++
 2 files changed, 120 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f64e1f924824033b61856a1c4a0162ab675a57a4

commit f64e1f924824033b61856a1c4a0162ab675a57a4
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-12-05 05:09:17 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-12-05 05:15:12 +0000

    media-libs/libvpx: security rev bump
    
    Bug: https://bugs.gentoo.org/701834
    Package-Manager: Portage-2.3.80, Repoman-2.3.19
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 ...libvpx-1.7.0-CVE-2019-9232_9325_9371_9433.patch | 211 +++++++++++++++++++++
 media-libs/libvpx/libvpx-1.7.0-r1.ebuild           | 131 +++++++++++++
 2 files changed, 342 insertions(+)
Comment 3 Agostino Sarubbo gentoo-dev 2019-12-05 08:38:46 UTC
amd64 stable
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-12-08 03:26:49 UTC
arm64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-12-09 08:00:19 UTC
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-12-09 08:48:47 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-12-09 12:10:21 UTC
ppc64 stable
Comment 8 Sergei Trofimovich gentoo-dev 2019-12-09 18:39:31 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-12-10 10:56:09 UTC
ppc stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-12-24 15:06:26 UTC
arm stable
Comment 11 Larry the Git Cow gentoo-dev 2019-12-26 17:03:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0614c44475793213f4d21c8f5c8b84977a6a1956

commit 0614c44475793213f4d21c8f5c8b84977a6a1956
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-12-26 11:27:16 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-12-26 17:03:02 +0000

    media-libs/libvpx: security cleanup
    
    Bug: https://bugs.gentoo.org/701834
    Package-Manager: Portage-2.3.83, Repoman-2.3.20
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/14129
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-libs/libvpx/Manifest               |   7 --
 media-libs/libvpx/libvpx-1.5.0.ebuild    | 127 ------------------------------
 media-libs/libvpx/libvpx-1.6.0-r1.ebuild | 116 ---------------------------
 media-libs/libvpx/libvpx-1.6.1.ebuild    | 127 ------------------------------
 media-libs/libvpx/libvpx-1.7.0.ebuild    | 130 ------------------------------
 media-libs/libvpx/libvpx-1.8.0-r1.ebuild | 120 ----------------------------
 media-libs/libvpx/libvpx-1.8.0.ebuild    | 131 -------------------------------
 7 files changed, 758 deletions(-)