Bug 25789

Ubuntu has issued an advisory for this on November 25:
https://usn.ubuntu.com/4199-1/

They also identified this commit as fixing a security issue between 1.8.0 and 1.8.1:
https://github.com/webmproject/libvpx/commit/6a7c84a2449dcc70de2525df209afea908622399

Summary: libvpx new security issue CVE-2019-9371 => libvpx new security issues CVE-2019-2126 and CVE-2019-9371

Assigning to Christiaan, CC DavidG, as the most recent active maintainers.

Assignee: bugsquad => cjw
CC: (none) => geiger.david68210

Done for mga7!

Advisory:
========================

Updated libvpx packages fix security vulnerabilities:

It was discovered that libvpx did not properly handle certain malformed WebM
media files. If an application using libvpx opened a specially crafted WebM
file, a remote attacker could cause a denial of service, or possibly execute
arbitrary code (CVE-2019-2126, CVE-2019-9371).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9371
https://usn.ubuntu.com/4199-1/
========================

Updated packages in core/updates_testing:
========================
libvpx6-1.8.1-1.mga7
libvpx-devel-1.8.1-1.mga7
libvpx-utils-1.8.1-1.mga7

from libvpx-1.8.1-1.mga7.src.rpm

Assignee: cjw => qa-bugs

Installed and tested without issues.

Tests:
- Play various VP8/9 files using mplayer;
- Decode and encode a VP8 file and VP9 file using ffmpeg and the libvpx-utils, then check the results with mplayer.


System: Mageia 7, x86_64, Plasma DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.

$ uname -a
Linux marte 5.3.13-desktop-2.mga7 #1 SMP Mon Nov 25 20:30:40 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep vpx
libvpx-utils-1.8.1-1.mga7
lib64vpx6-1.8.1-1.mga7



$ strace -o mplayer.log mplayer source.webm 
MPlayer 1.4-1.mga7.tainted-8.3.1 (C) 2000-2019 MPlayer Team
do_connect: could not connect to socket
connect: No such file or directory
Failed to open LIRC support. You will not be able to use your remote control.

Playing source.webm.
libavformat version 58.20.100 (external)
libavformat file format detected.
[lavf] stream 0: video (vp9), -vid 0
[lavf] stream 1: audio (opus), -aid 0, -alang eng
VIDEO:  [VP90]  1920x1080  0bpp  23.957 fps    0.0 kbps ( 0.0 kbyte/s)
==========================================================================
Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family
libavcodec version 58.35.100 (external)
Selected video codec: [ffvp9] vfm: ffmpeg (FFmpeg VP9)
==========================================================================
<SNIP>
$ grep -i /libvpx mplayer.log 
openat(AT_FDCWD, "/lib64/libvpx.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libvpx.so.6.1.0", O_RDONLY) = 3



$ strace -o ffmpeg.log ffmpeg -c:v libvpx-vp9 -i source.webm -c:v libvpx-vp9 -b:v 2M test.webm
ffmpeg version 4.1.4 Copyright (c) 2000-2019 the FFmpeg developers
  built with gcc 8.3.1 (Mageia 8.3.1-0.20190524.1.mga7) 20190524
  configuration: --prefix=/usr --enable-shared --enable-pic --libdir=/usr/lib64 --shlibdir=/usr/lib64 --incdir=/usr/include --disable-stripping --enable-postproc --enable-gpl --enable-pthreads --enable-libtheora --enable-libvorbis --disable-encoder=vorbis --enable-libvpx --enable-runtime-cpudetect --enable-libaom --enable-libdc1394 --enable-librtmp --enable-libspeex --enable-libfreetype --enable-libgsm --enable-libcelt --enable-libopus --enable-libopencv --enable-libopenjpeg --enable-libtwolame --enable-libxavs --enable-frei0r --enable-libmodplug --enable-libass --enable-gnutls --enable-libcdio --enable-libpulse --enable-libv4l2 --enable-avresample --enable-opencl --enable-libmp3lame --enable-sndio --enable-libdav1d --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-version3 --enable-libx264 --enable-libx265 --enable-libvo-amrwbenc --enable-libxvid
  libavutil      56. 22.100 / 56. 22.100
  libavcodec     58. 35.100 / 58. 35.100
  libavformat    58. 20.100 / 58. 20.100
  libavdevice    58.  5.100 / 58.  5.100
  libavfilter     7. 40.101 /  7. 40.101
  libavresample   4.  0.  0 /  4.  0.  0
  libswscale      5.  3.100 /  5.  3.100
  libswresample   3.  3.100 /  3.  3.100
  libpostproc    55.  3.100 / 55.  3.100
[libvpx-vp9 @ 0xc34880] v1.8.1
Input #0, matroska,webm, from 'source.webm':
  Metadata:
    encoder         : Lavf57.71.100
  Duration: 00:02:43.36, start: -0.007000, bitrate: 1593 kb/s
    Stream #0:0(eng): Video: vp9 (Profile 0), yuv420p(tv, bt709), 1920x1080, SAR 1:1 DAR 16:9, 23.96 fps, 23.96 tbr, 1k tbn, 1k tbc (default)
    Stream #0:1(eng): Audio: opus, 48000 Hz, stereo, fltp (default)
File 'test.webm' already exists. Overwrite ? [y/N] y
[libvpx-vp9 @ 0xc38340] v1.8.1
Stream mapping:
  Stream #0:0 -> #0:0 (vp9 (libvpx-vp9) -> vp9 (libvpx-vp9))
  Stream #0:1 -> #0:1 (opus (native) -> opus (libopus))
Press [q] to stop, [?] for help
[libopus @ 0xc6e600] No bit rate set. Defaulting to 96000 bps.
[libvpx-vp9 @ 0xc6ce80] v1.8.1
Output #0, webm, to 'test.webm':
  Metadata:
    encoder         : Lavf58.20.100
    Stream #0:0(eng): Video: vp9 (libvpx-vp9), yuv420p, 1920x1080 [SAR 1:1 DAR 16:9], q=-1--1, 2000 kb/s, 23.96 fps, 1k tbn, 23.96 tbc (default)
    Metadata:
      encoder         : Lavc58.35.100 libvpx-vp9
    Side data:
      cpb: bitrate max/min/avg: 0/0/0 buffer size: 0 vbv_delay: -1
    Stream #0:1(eng): Audio: opus (libopus), 48000 Hz, stereo, flt, 96 kb/s (default)
    Metadata:
      encoder         : Lavc58.35.100 libopus
frame= 3913 fps=2.6 q=0.0 Lsize=   49769kB time=00:02:43.35 bitrate=2495.9kbits/s speed=0.107x    
video:47597kB audio:2087kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: 0.172614%
$ grep -i /libvpx ffmpeg.log 
openat(AT_FDCWD, "/lib64/libvpx.so.6", O_RDONLY|O_CLOEXEC) = 3

Whiteboard: (none) => MGA7-64-OK
CC: (none) => mageia

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0369.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED