Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 701834 (CVE-2019-9232, CVE-2019-9325, CVE-2019-9371, CVE-2019-9433) - <media-libs/libvpx-{1.7.0-r1,1.8.1}: multiple vulnerabilities (CVE-2019-{9232,9325,9433,9371})
Summary: <media-libs/libvpx-{1.7.0-r1,1.8.1}: multiple vulnerabilities (CVE-2019-{9232...
Status: IN_PROGRESS
Alias: CVE-2019-9232, CVE-2019-9325, CVE-2019-9371, CVE-2019-9433
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [stable]
Keywords: STABLEREQ
Depends on:
Blocks:
 
Reported: 2019-12-02 23:11 UTC by GLSAMaker/CVETool Bot
Modified: 2019-12-26 17:03 UTC (History)
2 users (show)

See Also:
Package list:
media-libs/libvpx-1.7.0-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-02 23:11:50 UTC
CVE-2019-9232 (https://nvd.nist.gov/vuln/detail/CVE-2019-9232):
  In libvpx, there is a possible out of bounds read due to a missing bounds
  check. This could lead to remote information disclosure with no additional
  execution privileges needed. User interaction is not needed for
  exploitation. Product: AndroidVersions: Android-10Android ID: A-122675483

CVE-2019-9325 (https://nvd.nist.gov/vuln/detail/CVE-2019-9325):
  In libvpx, there is a possible out of bounds read due to a missing bounds
  check. This could lead to remote information disclosure with no additional
  execution privileges needed. User interaction is needed for exploitation.
  Product: AndroidVersions: Android-10Android ID: A-112001302

CVE-2019-9433 (https://nvd.nist.gov/vuln/detail/CVE-2019-9433):
  In libvpx, there is a possible information disclosure due to improper input
  validation. This could lead to remote information disclosure with no
  additional execution privileges needed. User interaction is needed for
  exploitation. Product: AndroidVersions: Android-10Android ID: A-80479354

CVE-2019-9371 (https://nvd.nist.gov/vuln/detail/CVE-2019-9371):
  In libvpx, there is a possible resource exhaustion due to improper input
  validation. This could lead to remote denial of service with no additional
  execution privileges needed. User interaction is needed for exploitation.
  Product: AndroidVersions: Android-10Android ID: A-132783254
Comment 1 Mike Gilbert gentoo-dev 2019-12-02 23:52:43 UTC
There is no information indicating what versions of libvpx are affected.
Comment 2 Larry the Git Cow gentoo-dev 2019-12-05 05:16:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73760c996a3562ec9d29db3cbab77b8ef8dcc230

commit 73760c996a3562ec9d29db3cbab77b8ef8dcc230
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-12-05 05:11:30 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-12-05 05:15:14 +0000

    media-libs/libvpx: bump to v1.8.1
    
    Bug: https://bugs.gentoo.org/701834
    Package-Manager: Portage-2.3.80, Repoman-2.3.19
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-libs/libvpx/Manifest            |   1 +
 media-libs/libvpx/libvpx-1.8.1.ebuild | 119 ++++++++++++++++++++++++++++++++++
 2 files changed, 120 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f64e1f924824033b61856a1c4a0162ab675a57a4

commit f64e1f924824033b61856a1c4a0162ab675a57a4
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-12-05 05:09:17 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-12-05 05:15:12 +0000

    media-libs/libvpx: security rev bump
    
    Bug: https://bugs.gentoo.org/701834
    Package-Manager: Portage-2.3.80, Repoman-2.3.19
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 ...libvpx-1.7.0-CVE-2019-9232_9325_9371_9433.patch | 211 +++++++++++++++++++++
 media-libs/libvpx/libvpx-1.7.0-r1.ebuild           | 131 +++++++++++++
 2 files changed, 342 insertions(+)
Comment 3 Agostino Sarubbo gentoo-dev 2019-12-05 08:38:46 UTC
amd64 stable
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-12-08 03:26:49 UTC
arm64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-12-09 08:00:19 UTC
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-12-09 08:48:47 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-12-09 12:10:21 UTC
ppc64 stable
Comment 8 Sergei Trofimovich gentoo-dev 2019-12-09 18:39:31 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-12-10 10:56:09 UTC
ppc stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-12-24 15:06:26 UTC
arm stable
Comment 11 Larry the Git Cow gentoo-dev 2019-12-26 17:03:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0614c44475793213f4d21c8f5c8b84977a6a1956

commit 0614c44475793213f4d21c8f5c8b84977a6a1956
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-12-26 11:27:16 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-12-26 17:03:02 +0000

    media-libs/libvpx: security cleanup
    
    Bug: https://bugs.gentoo.org/701834
    Package-Manager: Portage-2.3.83, Repoman-2.3.20
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/14129
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-libs/libvpx/Manifest               |   7 --
 media-libs/libvpx/libvpx-1.5.0.ebuild    | 127 ------------------------------
 media-libs/libvpx/libvpx-1.6.0-r1.ebuild | 116 ---------------------------
 media-libs/libvpx/libvpx-1.6.1.ebuild    | 127 ------------------------------
 media-libs/libvpx/libvpx-1.7.0.ebuild    | 130 ------------------------------
 media-libs/libvpx/libvpx-1.8.0-r1.ebuild | 120 ----------------------------
 media-libs/libvpx/libvpx-1.8.0.ebuild    | 131 -------------------------------
 7 files changed, 758 deletions(-)