Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 828112 (CVE-2020-36129, CVE-2020-36130, CVE-2020-36131, CVE-2020-36133, CVE-2020-36134, CVE-2020-36135) - <media-libs/libaom-3.2.0: multiple vulnerabilities
Summary: <media-libs/libaom-3.2.0: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2020-36129, CVE-2020-36130, CVE-2020-36131, CVE-2020-36133, CVE-2020-36134, CVE-2020-36135
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+]
Keywords:
Depends on: 829898
Blocks: CVE-2021-30474, CVE-2021-30475 CVE-2021-30473
  Show dependency tree
 
Reported: 2021-12-04 04:25 UTC by John Helmert III
Modified: 2024-01-31 14:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-04 04:25:49 UTC
CVE-2020-36129 (https://bugs.chromium.org/p/aomedia/issues/detail?id=2912&q=&can=1):

AOM v2.0.1 was discovered to contain a stack buffer overflow via the component src/aom_image.c.

Fixed in 3.2.0 (7a20d10027fd91fbe11e38182a1d45238e102c4a).

CVE-2020-36130 (https://bugs.chromium.org/p/aomedia/issues/detail?id=2905&q=&can=1):

AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component av1/av1_dx_iface.c.

Fixed in 3.0.0 (be4ee75fd762d361d0679cc892e4c74af8140093).

CVE-2020-36131 (https://bugs.chromium.org/p/aomedia/issues/detail?id=2911&q=&can=1):

AOM v2.0.1 was discovered to contain a stack buffer overflow via the component stats/rate_hist.c.

Fixed in 3.0.0 (94bcbfe76b0fd5b8ac03645082dc23a88730c949).

CVE-2020-36133 (https://bugs.chromium.org/p/aomedia/issues/detail?id=2913&q=&can=1):

AOM v2.0.1 was discovered to contain a global buffer overflow via the component av1/encoder/partition_search.h.

Fixed in 3.2.0 (5c9bc4181071684d157fc47c736acf6c69a85d85).

CVE-2020-36134 (https://bugs.chromium.org/p/aomedia/issues/detail?id=2914):

AOM v2.0.1 was discovered to contain a segmentation violation via the component aom_dsp/x86/obmc_sad_avx2.c.

Issue refers to https://bugs.chromium.org/p/aomedia/issues/detail?id=2940 which is fixed in 3.0.0 (5a1b33b710050b69557d26cf53d4943325481beb).

CVE-2020-36135 (https://bugs.chromium.org/p/aomedia/issues/detail?id=2910&q=&can=1):

AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component rate_hist.c.

Fixed in 3.0.0 (94bcbfe76b0fd5b8ac03645082dc23a88730c949).

So, please bump to 3.2.0.
Comment 1 Larry the Git Cow gentoo-dev 2021-12-24 06:14:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=628a37720393c8362cdecfaa9686e1e873f320c5

commit 628a37720393c8362cdecfaa9686e1e873f320c5
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-24 06:13:33 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-24 06:13:33 +0000

    media-libs/libaom: add 3.2.0
    
    Bug: https://bugs.gentoo.org/816027
    Bug: https://bugs.gentoo.org/828112
    Bug: https://bugs.gentoo.org/793932
    Bug: https://bugs.gentoo.org/798126
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libaom/Manifest            |  1 +
 media-libs/libaom/libaom-3.2.0.ebuild | 84 +++++++++++++++++++++++++++++++++++
 media-libs/libaom/libaom-9999.ebuild  | 13 ++++--
 3 files changed, 95 insertions(+), 3 deletions(-)
Comment 2 Larry the Git Cow gentoo-dev 2022-01-09 15:48:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b879fded0dc01423d42526dbab7e9f66eefedbc

commit 8b879fded0dc01423d42526dbab7e9f66eefedbc
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-01-09 15:26:41 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-01-09 15:48:04 +0000

    media-libs/libaom: Cleanup vulnerable 2.0.0, 2.0.1 and 3.1.2
    
    Bug: https://bugs.gentoo.org/828112
    Bug: https://bugs.gentoo.org/793932
    Bug: https://bugs.gentoo.org/798126
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/libaom/Manifest                         |   3 -
 media-libs/libaom/files/libaom-1.0.0-armv7l.patch  |  13 ---
 .../libaom/files/libaom-1.0.0-update-vsx-ppc.patch | 126 ---------------------
 media-libs/libaom/files/libaom-1.0.0-version.patch |  10 --
 media-libs/libaom/files/libdirpc2.patch            |  48 --------
 media-libs/libaom/files/pthread_lib2.patch         |  14 ---
 media-libs/libaom/libaom-2.0.0.ebuild              |  76 -------------
 media-libs/libaom/libaom-2.0.1.ebuild              |  76 -------------
 media-libs/libaom/libaom-3.1.2.ebuild              |  76 -------------
 9 files changed, 442 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2024-01-31 13:58:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=79547e85d0408ff5ac12c87ed1c3639370e3f339

commit 79547e85d0408ff5ac12c87ed1c3639370e3f339
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-31 13:58:08 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-31 13:58:35 +0000

    [ GLSA 202401-32 ] libaom: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/793932
    Bug: https://bugs.gentoo.org/798126
    Bug: https://bugs.gentoo.org/828112
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-32.xml | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)