Summary: | <media-libs/libvpx-1.13.0-r1: Heap buffer overflow | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | chromium, media-video |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A2 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 914877 | ||
Bug Blocks: | 914874 |
Description
Sam James
2023-09-28 05:00:02 UTC
The commits don't apply cleanly to 1.13.0 but they do if we use upstream's cherry-picks from the m14-5735 branch (https://github.com/webmproject/libvpx/commits/m114-5735): * https://github.com/webmproject/libvpx/commit/972691e9af302f0bc14998e78a6d54f7861c92e5 * https://github.com/webmproject/libvpx/commit/7aaffe2df4c9426ab204a272ca5ca52286ca86d4 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e33ebf94469ab30c5878d789081e6e8e6fcc732 commit 4e33ebf94469ab30c5878d789081e6e8e6fcc732 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-09-28 05:10:29 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-09-28 05:11:08 +0000 media-libs/libvpx: backport CVE-2023-5217 fix Bug: https://bugs.gentoo.org/914871 Bug: https://bugs.gentoo.org/914875 Closes: https://github.com/gentoo/gentoo/pull/33095 Signed-off-by: Sam James <sam@gentoo.org> ...-1.13.0-VP8-disallow-thread-count-changes.patch | 53 ++++++++ ...pi_test-add-ConfigResizeChangeThreadCount.patch | 94 +++++++++++++ media-libs/libvpx/libvpx-1.13.0-r1.ebuild | 145 +++++++++++++++++++++ 3 files changed, 292 insertions(+) GLSA request filed. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=78441d962cbe20f36c819692b8c5ea5befbaf0be commit 78441d962cbe20f36c819692b8c5ea5befbaf0be Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-10-04 10:49:17 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-10-04 10:49:54 +0000 [ GLSA 202310-04 ] libvpx: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/914875 Bug: https://bugs.gentoo.org/914987 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202310-04.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) Please cleanup, thanks! commit c9ecf0bde49f27177c9f1b979293b01378809309 Author: John Helmert III <ajak@gentoo.org> Date: Thu Dec 21 17:26:51 2023 -0800 media-libs/libvpx: drop 1.12.0-r1, 1.13.0, 1.13.0-r1 |