Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 828112 (CVE-2020-36129, CVE-2020-36130, CVE-2020-36131, CVE-2020-36133, CVE-2020-36134, CVE-2020-36135) - <media-libs/libaom-3.2.0: multiple vulnerabilities
Summary: <media-libs/libaom-3.2.0: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2020-36129, CVE-2020-36130, CVE-2020-36131, CVE-2020-36133, CVE-2020-36134, CVE-2020-36135
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+]
Keywords:
Depends on: 829898
Blocks: CVE-2021-30474, CVE-2021-30475 CVE-2021-30473
  Show dependency tree
 
Reported: 2021-12-04 04:25 UTC by John Helmert III
Modified: 2024-01-31 14:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-04 04:25:49 UTC 
CVE-2020-36129 (https://bugs.chromium.org/p/aomedia/issues/detail?id=2912&q=&can=1):

AOM v2.0.1 was discovered to contain a stack buffer overflow via the component src/aom_image.c.

Fixed in 3.2.0 (7a20d10027fd91fbe11e38182a1d45238e102c4a).

CVE-2020-36130 (https://bugs.chromium.org/p/aomedia/issues/detail?id=2905&q=&can=1):

AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component av1/av1_dx_iface.c.

Fixed in 3.0.0 (be4ee75fd762d361d0679cc892e4c74af8140093).

CVE-2020-36131 (https://bugs.chromium.org/p/aomedia/issues/detail?id=2911&q=&can=1):

AOM v2.0.1 was discovered to contain a stack buffer overflow via the component stats/rate_hist.c.

Fixed in 3.0.0 (94bcbfe76b0fd5b8ac03645082dc23a88730c949).

CVE-2020-36133 (https://bugs.chromium.org/p/aomedia/issues/detail?id=2913&q=&can=1):

AOM v2.0.1 was discovered to contain a global buffer overflow via the component av1/encoder/partition_search.h.

Fixed in 3.2.0 (5c9bc4181071684d157fc47c736acf6c69a85d85).

CVE-2020-36134 (https://bugs.chromium.org/p/aomedia/issues/detail?id=2914):

AOM v2.0.1 was discovered to contain a segmentation violation via the component aom_dsp/x86/obmc_sad_avx2.c.

Issue refers to https://bugs.chromium.org/p/aomedia/issues/detail?id=2940 which is fixed in 3.0.0 (5a1b33b710050b69557d26cf53d4943325481beb).

CVE-2020-36135 (https://bugs.chromium.org/p/aomedia/issues/detail?id=2910&q=&can=1):

AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component rate_hist.c.

Fixed in 3.0.0 (94bcbfe76b0fd5b8ac03645082dc23a88730c949).

So, please bump to 3.2.0.
Comment 1 Larry the Git Cow gentoo-dev 2021-12-24 06:14:17 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=628a37720393c8362cdecfaa9686e1e873f320c5

commit 628a37720393c8362cdecfaa9686e1e873f320c5
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-24 06:13:33 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-24 06:13:33 +0000

    media-libs/libaom: add 3.2.0
    
    Bug: https://bugs.gentoo.org/816027
    Bug: https://bugs.gentoo.org/828112
    Bug: https://bugs.gentoo.org/793932
    Bug: https://bugs.gentoo.org/798126
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libaom/Manifest            |  1 +
 media-libs/libaom/libaom-3.2.0.ebuild | 84 +++++++++++++++++++++++++++++++++++
 media-libs/libaom/libaom-9999.ebuild  | 13 ++++--
 3 files changed, 95 insertions(+), 3 deletions(-)
Comment 2 Larry the Git Cow gentoo-dev 2022-01-09 15:48:30 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b879fded0dc01423d42526dbab7e9f66eefedbc

commit 8b879fded0dc01423d42526dbab7e9f66eefedbc
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-01-09 15:26:41 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-01-09 15:48:04 +0000

    media-libs/libaom: Cleanup vulnerable 2.0.0, 2.0.1 and 3.1.2
    
    Bug: https://bugs.gentoo.org/828112
    Bug: https://bugs.gentoo.org/793932
    Bug: https://bugs.gentoo.org/798126
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/libaom/Manifest                         |   3 -
 media-libs/libaom/files/libaom-1.0.0-armv7l.patch  |  13 ---
 .../libaom/files/libaom-1.0.0-update-vsx-ppc.patch | 126 ---------------------
 media-libs/libaom/files/libaom-1.0.0-version.patch |  10 --
 media-libs/libaom/files/libdirpc2.patch            |  48 --------
 media-libs/libaom/files/pthread_lib2.patch         |  14 ---
 media-libs/libaom/libaom-2.0.0.ebuild              |  76 -------------
 media-libs/libaom/libaom-2.0.1.ebuild              |  76 -------------
 media-libs/libaom/libaom-3.1.2.ebuild              |  76 -------------
 9 files changed, 442 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2024-01-31 13:58:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=79547e85d0408ff5ac12c87ed1c3639370e3f339

commit 79547e85d0408ff5ac12c87ed1c3639370e3f339
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-31 13:58:08 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-31 13:58:35 +0000

    [ GLSA 202401-32 ] libaom: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/793932
    Bug: https://bugs.gentoo.org/798126
    Bug: https://bugs.gentoo.org/828112
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-32.xml | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)