Bug 33280

Summary: aom new security issue CVE-2024-5171
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: aom-3.6.0-1.mga9.src.rpm CVE: CVE-2024-5171
Status comment:

Description Nicolas Salguero 2024-06-10 10:16:45 CEST 
Ubuntu has issued an advisory on June 6:
https://ubuntu.com/security/notices/USN-6815-1

The following patches fix the problem:
https://aomedia.googlesource.com/aom/+/19d9966572a410804349e1a8ee2017fed49a6dab
https://aomedia.googlesource.com/aom/+/8156fb76d88845d716867d20333fd27001be47a8

Mageia 9 is also affected.
Nicolas Salguero 2024-06-10 10:17:21 CEST

CVE: (none) => CVE-2024-5171
Source RPM: (none) => aom-3.8.2-2.mga10.src.rpm
Status comment: (none) => Patches available from Ubuntu and upstream
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-06-10 20:25:31 CEST 
Assigning globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-06-13 13:47:11 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers: * Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. (CVE-2024-5171)

References:
https://ubuntu.com/security/notices/USN-6815-1
========================

Updated packages in core/updates_testing:
========================
aom-3.6.0-1.1.mga9
lib(64)aom3-3.6.0-1.1.mga9
lib(64)aom-devel-3.6.0-1.1.mga9

from SRPM:
aom-3.6.0-1.1.mga9.src.rpm

Status: NEW => ASSIGNED
Status comment: Patches available from Ubuntu and upstream => (none)
Source RPM: aom-3.8.2-2.mga10.src.rpm => aom-3.6.0-1.mga9.src.rpm
Version: Cauldron => 9
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO => (none)

katnatek 2024-06-13 19:49:07 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2024-06-14 04:40:52 CEST 
RH mageia 9 x86_64

 LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "QA Testing (32-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing lib64aom3-3.6.0-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: lib64aom3             ##################################################################################################
      1/1: removing lib64aom3-3.6.0-1.mga9.x86_64
                                 ##################################################################################################

LC_ALL=C urpmi aom

installing aom-3.6.0-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: aom                   ##################################################################################################

References Bug#29808 comment#21 , we lost some tools since that time

strace vlc ountain_2997_3000kbps_1280x720_1x1PAR.ivf
Shows 
newfstatat(AT_FDCWD, "/usr/lib64/vlc/plugins/codec/libaom_plugin.so", {st_mode=S_IFREG|0755, st_size=15336, ...}, 0) = 0

strace gst-play-1.0  Fountain_2997_3000kbps_1280x720_1x1PAR.ivf
newfstatat(AT_FDCWD, "/lib64/gstreamer-1.0/libgstaom.so", {st_mode=S_IFREG|0755, st_size=53520, ...}, 0) = 0

aomdec --help
aomenc --help

Shows the help

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2024-06-14 14:46:46 CEST 
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2024-06-14 19:31:16 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0220.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED