Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 577606 (CVE-2016-1621) - <media-libs/libvpx-1.5.0: remote code execution via crafted media file (CVE-2016-1621)
Summary: <media-libs/libvpx-1.5.0: remote code execution via crafted media file (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2016-1621
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A2 [glsa cve]
Keywords:
Depends on: 585350
Blocks:
  Show dependency tree
 
Reported: 2016-03-17 11:42 UTC by Agostino Sarubbo
Modified: 2017-05-18 02:45 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-03-17 11:42:31 UTC
From ${URL} :

A vulnerability was found in libvpx. A maliciously crafted media file allows remote attackers to execute arbitrary code or cause a denial of service. 

Upstream fix:

https://android.googlesource.com/platform/external/libvpx/+/04839626ed859623901ebd3a5fd483982186b59d%5E!/#F1

References:

http://lwn.net/Vulnerabilities/680036/


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alexis Ballier gentoo-dev 2016-03-17 21:11:27 UTC
libvpx < 1.4.0 does not have libwebm

libvpx-1.4.0, diff from their mkvparser.cpp and android's libvpx from the link above is these two commits:
https://github.com/webmproject/libwebm/commit/568504e64e496e82a8c382ccbe752630c6a77987
https://github.com/webmproject/libwebm/commit/568504e64e496e82a8c382ccbe752630c6a77987

libvpx-1.5.0 has a much more recent libwebm


the report is definitely not clear; I'm not sure if the above 2 commits are related or if libvpx 1.4.0 is fine


anyway, severity isn't so high: libwebm is only used for vpxdec & vpxenc in libvpx; those are the examples programs that are barely used: they read/write vpx files and write/read raw videos from the disk
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-03-22 06:14:07 UTC
CVE-2016-1621 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1621):
  libvpx in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H,
  and 6.0 before 2016-03-01 allows remote attackers to execute arbitrary code
  or cause a denial of service (memory corruption) via a crafted media file,
  related to libwebm/mkvparser.cpp and other files, aka internal bug 23452792.
Comment 3 Thomas Deutschmann gentoo-dev 2016-11-21 16:05:00 UTC
=media-libs/libvpx-1.4.0 is definitely affected.

=media-libs/libvpx-1.5.0 is the first version containing the fixes.
Comment 4 Michael Palimaka (kensington) gentoo-dev 2017-03-12 23:27:50 UTC
Stabilisation was completed in bug #585350 and I've now removed vulnerable.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2017-04-19 05:26:38 UTC
Arches, Thank you for your work.

New GLSA Request filed.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2017-05-18 02:45:31 UTC
glsa release as part of - https://security.gentoo.org/glsa/201603-09