Bug 16019 - libvpx new security issue CVE-2015-1258
Summary: libvpx new security issue CVE-2015-1258
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA4TOO has_procedure MGA4-64-OK MGA4...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-05-22 18:18 CEST by David Walser
Modified: 2015-07-01 14:41 CEST (History)
3 users (show)

See Also:
Source RPM: libvpx-1.3.0-3.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-05-22 18:18:00 CEST
In Bug 15993, Google Chrome fixed a security issue in its bundled libvpx by updating to 1.4.0 and adding a size-limit build option.  We may need to fix this in our libvpx package too.

Reproducible: 

Steps to Reproduce:
David Walser 2015-05-22 18:18:10 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-06-14 02:35:34 CEST
The size limit configure option that Google used was added in 1.4.0, initially during this commit:
https://chromium.googlesource.com/webm/libvpx/+/943e43273b0a7369d07714e7fd2e19fecfb11c7c%5E!/

I've added that patch and the configure option Google used in Cauldron SVN.  Hopefully that'll work out.

If not, the other patches to the affected section of code that went into 1.4.0 are:
https://chromium.googlesource.com/webm/libvpx/+/f68aaa38d65c0e97945b102c55e66c111396937c%5E!/
https://chromium.googlesource.com/webm/libvpx/+/18a7f69dae2a81a566692993897b07b651b2d9ec%5E!/
https://chromium.googlesource.com/webm/libvpx/+/423e8a9727b25d54de24630f9c042fd5bddf7c8d%5E!/
Comment 2 David Walser 2015-06-20 16:58:09 CEST
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated libvpx packages fix security vulnerability:

libvpx before 1.4.0 allows remote attackers to trigger a negative value for a
size field, and consequently cause a denial of service or possibly have
unspecified other impact, via a crafted frame size in VP9 video data
(CVE-2015-1258).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1258
http://googlechromereleases.blogspot.com/2015/05/stable-channel-update_19.html
========================

Updated packages in core/updates_testing:
========================
libvpx1-1.3.0-1.1.mga4
libvpx-devel-1.3.0-1.1.mga4
libvpx-utils-1.3.0-1.1.mga4
libvpx1-1.3.0-3.1.mga5
libvpx-devel-1.3.0-3.1.mga5
libvpx-utils-1.3.0-3.1.mga5

from SRPMS:
libvpx-1.3.0-1.1.mga4.src.rpm
libvpx-1.3.0-3.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 3 Herman Viaene 2015-06-23 10:43:17 CEST
MGA4-64 on HP Probook 6555b
No installation issues.
Tested as per bug15993: general browsing, acid3 and sunspider tests run OK.

CC: (none) => herman.viaene

Herman Viaene 2015-06-23 10:44:38 CEST

Whiteboard: MGA4TOO => MGA4TOO has_procedure MGA4-64-OK

Comment 4 David Walser 2015-06-23 16:04:16 CEST
This update specifically affects VP9 video decoding, so please make sure that gets tested.
Comment 5 Herman Viaene 2015-06-29 14:41:25 CEST
MGA4-32 on AcerD620 Xfce.
No installation issues. Installed chromium browser
Tested as per bug15993 with chromium: general browsing, acid3 and sunspider tests run OK.
Tested VP9 with chromium using https://www.youtube.com/watch?v=Ctjm1kxw-BM codec test: OK

MGA5-64 on HP Probook 6555b KDE
No installation issues.  Installed chromium browser
Tested as per bug15993 with chromium: general browsing, acid3 and sunspider tests run OK.
Tested VP9 using with chromium https://www.youtube.com/watch?v=Ctjm1kxw-BM codec test: video window message "Error occured" This works OK with Firefox, but I guess this one does not use libvpx.

Whiteboard: MGA4TOO has_procedure MGA4-64-OK => MGA4TOO has_procedure MGA4-64-OK MGA4-32-OK

Comment 6 Dave Hodgins 2015-07-01 01:16:24 CEST
Adding the MGA5-64-OK whiteboard entry based on comment 5.

Advisory committed to svn.

Someone from the sysadmin team please push 16019.adv to updates on both
Mageia 5 and 4.

Keywords: (none) => validated_update
Whiteboard: MGA4TOO has_procedure MGA4-64-OK MGA4-32-OK => MGA4TOO has_procedure MGA4-64-OK MGA4-32-OK MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 7 Mageia Robot 2015-07-01 14:41:05 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0249.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.