Bug 29550

openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/S6VFR2SEGRR5ORYTWSFNBKWUUVDDXFEW/

Status comment: (none) => Patch available from upstream
CC: (none) => nicolas.salguero

Suggested advisory:
========================

The updated packages fix a security vulnerability:

aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use-after-free. (CVE-2021-30474)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30474
https://lists.suse.com/pipermail/sle-security-updates/2021-October/009569.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/S6VFR2SEGRR5ORYTWSFNBKWUUVDDXFEW/
========================

Updated packages in core/updates_testing:
========================
aom-2.0.1-3.2.mga8
lib(64)aom2-2.0.1-3.2.mga8
lib(64)aom-devel-2.0.1-3.2.mga8
aom-extra-tools-2.0.1-3.2.mga8

from SRPM:
aom-2.0.1-3.2.mga8.src.rpm

Assignee: bugsquad => qa-bugs
CVE: (none) => CVE-2021-30474
Status comment: Patch available from upstream => (none)
Status: NEW => ASSIGNED

Permission denied on aom link from Mitre CVE issue.

CC: (none) => tarazed25

(In reply to Len Lawrence from comment #3)
> Permission denied on aom link from Mitre CVE issue.

Which link?
https://aomedia.googlesource.com/aom/+/6e31957b6dc62dbc7d1bb70cd84902dd14c4bf2e
opens ok here.

CC: (none) => davidwhodgins

mga8, x64

Updated the packages with qarepo.
$ ls /usr/bin/aom*
/usr/bin/aomanalyzer*  /usr/bin/aomdec*  /usr/bin/aomenc*

$ urpmq --whatrequires lib64aom2 | uniq
aom
aom-extra-tools
gstreamer1.0-plugins-bad
lib64aom2
lib64avcodec58
lib64heif1
lib64myth31
lib64xine2
mythtv-plugin-archive
mythtv-plugin-browser
mythtv-plugin-game
mythtv-plugin-music
mythtv-plugin-netvision
mythtv-plugin-news
mythtv-plugin-weather
mythtv-plugin-zoneminder
vlc-plugin-common

Ran a series of traces to look for usage of aom.
$ strace -o parole.trace parole LammasTide.wav
$ grep aom parole.trace
stat("/usr/lib64/gstreamer-1.0/libgstaom.so", {st_mode=S_IFREG|0755, st_size=49432, ...}) = 0
$ strace -o vlc.trace vlc Corelli.....mkv
$ grep aom vlc.trace
stat("/usr/lib64/vlc/plugins/codec/libaom_plugin.so", {st_mode=S_IFREG|0755, st_size=19328, ...}) = 0
$ strace -o avi.trace parole corelli.avi
$ grep aom avi.trace
stat("/usr/lib64/gstreamer-1.0/libgstaom.so", {st_mode=S_IFREG|0755, st_size=49432, ...}) = 0
$ strace -o tv.trace vlc channels.xspf
$ grep aom tv.trace
stat("/usr/lib64/vlc/plugins/codec/libaom_plugin.so", {st_mode=S_IFREG|0755, st_size=19328, ...}) = 0

It looks like aom turns up on the plugin side for these applications.  Taking that as confirmation of use.

No help for aomanalyzer.
$ aomanalyzer -h
aomanalyzer: symbol lookup error: aomanalyzer: undefined symbol: _ZN12wxWindowBase29WXSetInitialFittingClientSizeEi, version WXU_3.1

The /usr/share/doc readme.md file is aimed at developers and development testing.
$ aomenc --help
Usage: aomenc <options> -o dst_filename src_filename 

The options confirm that these are developer tools which need background knowledge.
Sending this on.

Whiteboard: (none) => MGA8-64-OK

@Dave in reply to comment 4:
https://bugs.chromium.org/p/aomedia/issues/detail?id=3000

Probably need an account for the project.

(In reply to Len Lawrence from comment #6)
> @Dave in reply to comment 4:
> https://bugs.chromium.org/p/aomedia/issues/detail?id=3000
> 
> Probably need an account for the project.

Looks like it. When I try the link, I get "permission denied" too, but then it diverts to a Google accounts login screen. I left.

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0482.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED