Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 914875 - <media-libs/libvpx-1.13.0-r1: Heap buffer overflow
Summary: <media-libs/libvpx-1.13.0-r1: Heap buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+]
Keywords:
Depends on: 914877
Blocks: CVE-2023-5217
  Show dependency tree
 
Reported: 2023-09-28 05:00 UTC by Sam James
Modified: 2024-01-21 10:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-09-28 05:00:02 UTC 
See bug 914874.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-09-28 05:00:56 UTC 
The commits don't apply cleanly to 1.13.0 but they do if we use upstream's cherry-picks from the m14-5735 branch (https://github.com/webmproject/libvpx/commits/m114-5735):
* https://github.com/webmproject/libvpx/commit/972691e9af302f0bc14998e78a6d54f7861c92e5
* https://github.com/webmproject/libvpx/commit/7aaffe2df4c9426ab204a272ca5ca52286ca86d4
Comment 2 Larry the Git Cow gentoo-dev 2023-09-28 05:11:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e33ebf94469ab30c5878d789081e6e8e6fcc732

commit 4e33ebf94469ab30c5878d789081e6e8e6fcc732
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-09-28 05:10:29 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-09-28 05:11:08 +0000

    media-libs/libvpx: backport CVE-2023-5217 fix
    
    Bug: https://bugs.gentoo.org/914871
    Bug: https://bugs.gentoo.org/914875
    Closes: https://github.com/gentoo/gentoo/pull/33095
    Signed-off-by: Sam James <sam@gentoo.org>

 ...-1.13.0-VP8-disallow-thread-count-changes.patch |  53 ++++++++
 ...pi_test-add-ConfigResizeChangeThreadCount.patch |  94 +++++++++++++
 media-libs/libvpx/libvpx-1.13.0-r1.ebuild          | 145 +++++++++++++++++++++
 3 files changed, 292 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-04 08:14:33 UTC 
GLSA request filed.
Comment 4 Larry the Git Cow gentoo-dev 2023-10-04 10:49:57 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=78441d962cbe20f36c819692b8c5ea5befbaf0be

commit 78441d962cbe20f36c819692b8c5ea5befbaf0be
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-10-04 10:49:17 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-10-04 10:49:54 +0000

    [ GLSA 202310-04 ] libvpx: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/914875
    Bug: https://bugs.gentoo.org/914987
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202310-04.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-04 10:50:25 UTC 
Please cleanup, thanks!
Comment 6 Hans de Graaff gentoo-dev Security 2024-01-21 10:14:31 UTC 
commit c9ecf0bde49f27177c9f1b979293b01378809309
Author: John Helmert III <ajak@gentoo.org>
Date:   Thu Dec 21 17:26:51 2023 -0800

    media-libs/libvpx: drop 1.12.0-r1, 1.13.0, 1.13.0-r1