Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 906107 (CVE-2023-32570) - <media-libs/dav1d-1.2.0: race condition leading to crash
Summary: <media-libs/dav1d-1.2.0: race condition leading to crash
Status: IN_PROGRESS
Alias: CVE-2023-32570
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://code.videolan.org/videolan/da...
Whiteboard: B3 [glsa? cleanup]
Keywords:
Depends on: 910088
Blocks:
  Show dependency tree
 
Reported: 2023-05-11 04:21 UTC by John Helmert III
Modified: 2023-07-25 03:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-11 04:21:01 UTC
CVE-2023-32570:
https://code.videolan.org/videolan/dav1d/-/tags/1.2.0

VideoLAN dav1d before 1.2.0 has a thread_task.c race condition that can lead to an application crash, related to dav1d_decode_frame_exit.

Please bump to 1.2.0.
Comment 1 Luca Barbato gentoo-dev 2023-05-13 15:11:15 UTC
Thank you for the report!
Comment 2 Luca Barbato gentoo-dev 2023-05-13 16:03:07 UTC
I'll wait for https://code.videolan.org/videolan/dav1d/-/issues/426 to be fixed.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-23 04:44:48 UTC
(In reply to Luca Barbato from comment #2)
> I'll wait for https://code.videolan.org/videolan/dav1d/-/issues/426 to be
> fixed.

Closed with: https://code.videolan.org/videolan/dav1d/-/commit/5c584cb332e585e2527f08a5d596fad59c1f8c9b
Comment 4 Larry the Git Cow gentoo-dev 2023-05-31 07:00:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e355a878b25f04e312e370946575fab5a0a785e

commit 1e355a878b25f04e312e370946575fab5a0a785e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-05-31 06:39:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-31 06:56:27 +0000

    media-libs/dav1d: add 1.2.0
    
    Bug: https://bugs.gentoo.org/906107
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/dav1d/Manifest           |  1 +
 media-libs/dav1d/dav1d-1.2.0.ebuild | 61 +++++++++++++++++++++++++++++++++++++
 media-libs/dav1d/dav1d-9999.ebuild  | 12 +++++---
 3 files changed, 69 insertions(+), 5 deletions(-)