| Summary: | libvpx new security issue CVE-2017-13194 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | cjw, davidwhodgins, marja11, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-64-OK MGA6-64-OK | ||
| Source RPM: | libvpx-1.6.1-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-01-26 05:27:19 CET
David Walser
2018-01-26 05:27:26 CET
Whiteboard:
(none) =>
MGA6TOO Fedora has issued an advisory for this on January 23: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K7IIUY6YMQMZRGUJWQTDO45UHYP4222K/ Assigning to all packagers collectively, since there is no registered maintainer for this package. Assignee:
bugsquad =>
pkg-bugs I ported the commit from libvpx 1.7.0 in git to 1.5.0 and verified that playback still works in chromium (youtube videos reported as VP9 + opus). Updated packages are in updates_testing. SRPM libvpx-1.5.0-3.1.mga6.src.rpm RPMS i586: libvpx3-1.5.0-3.1.mga6.i586.rpm libvpx-devel-1.5.0-3.1.mga6.i586.rpm libvpx-utils-1.5.0-3.1.mga6.i586.rpm x86-64: lib64vpx3-1.5.0-3.1.mga6.x86_64.rpm lib64vpx-devel-1.5.0-3.1.mga6.x86_64.rpm libvpx-utils-1.5.0-3.1.mga6.x86_64.rpm armv5: libvpx3-1.5.0-3.1.mga6.armv5tl.rpm libvpx-devel-1.5.0-3.1.mga6.armv5tl.rpm libvpx-utils-1.5.0-3.1.mga6.armv5tl.rpm armv7: libvpx3-1.5.0-3.1.mga6.armv7hl.rpm libvpx-devel-1.5.0-3.1.mga6.armv7hl.rpm libvpx-utils-1.5.0-3.1.mga6.armv7hl.rpm Thanks Christiaan! I backported your patch to Mageia 5 and fixed the Mageia 6 SPEC to put the subrel in the correct place. Do you have a URL of a video that uses this? Advisory: ======================== Updated libvpx packages fix security vulnerability: A flaw was found in libvpx related to odd frame width, which may lead to a denial of service (CVE-2017-13194). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13194 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K7IIUY6YMQMZRGUJWQTDO45UHYP4222K/ ======================== Updated packages in core/updates_testing: ======================== libvpx1-1.3.0-3.2.mga5 libvpx-devel-1.3.0-3.2.mga5 libvpx-utils-1.3.0-3.2.mga5 libvpx3-1.5.0-3.1.mga6 libvpx-devel-1.5.0-3.1.mga6 libvpx-utils-1.5.0-3.1.mga6 from SRPMS: libvpx-1.3.0-3.2.mga5.src.rpm libvpx-1.5.0-3.1.mga6.src.rpm Version:
Cauldron =>
6 In chromium on cauldron and mga6, pretty much every recent youtube video plays in VP9+opus, but here are some random examples: CRAY has something new: https://www.youtube.com/watch?v=QAf6rOxLJL8 some dancing in LA: https://www.youtube.com/watch?v=cvCrYFfUE4o To check what kind of video(s) chromium is playing (youtube offers several formats): chrome://media-internals Thanks again Christiaan. I used the chrome://media-internals to find that another link a friend sent me yesterday was also using vpx: https://www.youtube.com/watch?v=NswWvNf_0gU Working fine on Mageia 5 x86_64. Whiteboard:
MGA5TOO =>
MGA5TOO MGA5-64-OK Likewise for Mageia 6 :: x86_64 Installed chromium-browser and updated the vpx libraries. Tried the suggested links and opened chrome://media-internals under another tab. This kept track of all the videos played and showed that they were using the vp9/opus codecs. OK for x86_64. CC:
(none) =>
tarazed25
Len Lawrence
2018-02-03 17:30:18 CET
Whiteboard:
MGA5TOO MGA5-64-OK =>
MGA5TOO MGA5-64-OK MGA6-64-OK
Len Lawrence
2018-02-05 23:19:13 CET
Keywords:
(none) =>
validated_update
Dave Hodgins
2018-02-06 05:37:56 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0112.html Status:
NEW =>
RESOLVED |