| Summary: | dav1d new security issue CVE-2024-1580 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | dav1d-1.2.1-1.mga9.src.rpm | CVE: | CVE-2024-1580 |
| Status comment: | |||
| Attachments: | Sample video using the av1 codec | ||
|
Description
Nicolas Salguero
2024-03-25 16:48:35 CET
Nicolas Salguero
2024-03-25 16:49:15 CET
Status comment:
(none) =>
Fixed upstream in 1.4.0 and patch available from upsteam New version is best. I found no refrence to the CVE on the site, and nothing about 1.4.0; but a newer version 1.4.1: https://code.videolan.org/videolan/dav1d/-/commit/162fb6d85ce9e49af64ad55f1a16df1ac07067d1 I think this is the patch: https://code.videolan.org/videolan/dav1d/-/commit/2b475307dc11be9a1c3cc4358102c76a7f386a51 Assigning this to Stig, who normally maintains the SRPM. Assignee:
bugsquad =>
smelror Suggested advisory: ======================== The updated packages fix a security vulnerability: An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. (CVE-2024-1580) References: https://lwn.net/Articles/966589/ ======================== Updated packages in core/updates_testing: ======================== dav1d-1.2.1-1.1.mga9 lib(64)dav1d6-1.2.1-1.1.mga9 lib(64)dav1d-devel-1.2.1-1.1.mga9 from SRPM: dav1d-1.2.1-1.1.mga9.src.rpm Status comment:
Fixed upstream in 1.4.0 and patch available from upsteam =>
(none)
katnatek
2024-04-03 19:45:30 CEST
Keywords:
(none) =>
advisory MGA9-64 Plasma Wayland on HP-Pavillion No installation issues. $ dav1d -v 1.2.1 $ dav1d -i 12demandeel1.avi -o 12.mpg Failed to probe demuxer for file 12demandeel1.avi I guess there is nothing wrong with this avi file since the command $ ffmpeg -i 12demandeel1.avi 12.mpg produces a mpg file that plays OK with vlc. Missing something??? CC:
(none) =>
herman.viaene
katnatek
2024-04-05 20:27:35 CEST
CC:
(none) =>
andrewsfarm I not see a good way other that have av1 video files to test this, give OK in base a clean install
LC_ALL=C urpmi dav1d
installing dav1d-1.2.1-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing... ##################################################################################################
1/1: dav1d
LC_ALL=C urpmi lib64dav1d6
Marking lib64dav1d6 as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list
installing lib64dav1d6-1.2.1-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing... ##################################################################################################
1/1: lib64dav1d6 ##################################################################################################
1/1: removing lib64dav1d6-1.2.1-1.mga9.x86_64
##################################################################################################Whiteboard:
(none) =>
MGA9-64-OK @Herman: You fell into the same trap I did when first confronting "av1" files. I read them as "avi" instead. Almost did the same thing with the recent gstreamer update. @katnatek: Handbrake will transcode videos into the av1 codec if set up for it. I just did a couple for the gstreamer update. The resulting file uses an mp4 container and file suffix, but the av1 codec. I'm not familiar with dav1d, but will have a look. That took longer than expected. MGA9-64 Plasma, i5-7500, Nvidia Quadro K620 graphics. urpmq --whatrequires lib64dav1d6 produces a list that includes Chromium browser and vlc-plugins-common, among others. I chose vlc, and discovered it would not play the video for the av1 codec on this machine. Eventually, I found that vlc was trying to use GPU hardware acceleration to do the decoding, but my card doesn't support that codec. Removing the vlc vdpau plugin forced it to use the cpu, and then it played. $ strace -o dav1d.txt vlc Spinner.mp4 played the video, though there were a LOT of complaints about it in the terminal. (I think it REALLY wanted to use hardware acceleration) A check of the resulting file showed one time when it accessed "/usr/lib64/vlc/plugins/codec/libpng_plugin.so" so it appears to work OK. Created attachment 14495 [details]
Sample video using the av1 codec
The video I used is too big to attach. I found this one online.
Validating. Keywords:
(none) =>
validated_update (In reply to Thomas Andrews from comment #6) > > $ strace -o dav1d.txt vlc Spinner.mp4 played the video, though there were a > LOT of complaints about it in the terminal. (I think it REALLY wanted to use > hardware acceleration) A check of the resulting file showed one time when it > accessed "/usr/lib64/vlc/plugins/codec/libpng_plugin.so" so it appears to > work OK. Copy error. That was supposed to be "/usr/lib64/vlc/plugins/codec/libdav1d_plugin.so" - and it wasn't even the right libdav1d. Sigh. Another test using dragon produced a call to "/lib64/libdav1d.so.6" which is the correct library for this update. (In reply to Thomas Andrews from comment #7) > Created attachment 14495 [details] > Sample video using the av1 codec > > The video I used is too big to attach. I found this one online. https://github.com/SPBTV/video_av1_samples/blob/master/spbtv_sample_bipbop_av1_960x540_25fps.mp4 Same video I guess, I used vlc to play because urpmq --whatrequires lib64dav1d6 produce vlc-plugin-common as part of the output The video play well, BTW still not get how to test dav1d An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0111.html Status:
ASSIGNED =>
RESOLVED |