Bug 22463 - libvpx new security issue CVE-2017-13194
Summary: libvpx new security issue CVE-2017-13194
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-01-26 05:27 CET by David Walser
Modified: 2018-02-06 07:26 CET (History)
5 users (show)

See Also:
Source RPM: libvpx-1.6.1-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-01-26 05:27:19 CET
openSUSE has issued an advisory today (January 25):
https://lists.opensuse.org/opensuse-updates/2018-01/msg00088.html

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-01-26 05:27:26 CET

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-01-26 06:32:32 CET
Fedora has issued an advisory for this on January 23:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K7IIUY6YMQMZRGUJWQTDO45UHYP4222K/
Comment 2 Marja Van Waes 2018-01-26 07:15:25 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => cjw, marja11

Comment 3 Christiaan Welvaart 2018-01-28 21:41:39 CET
I ported the commit from libvpx 1.7.0 in git to 1.5.0 and verified that playback still works in chromium (youtube videos reported as VP9 + opus). Updated packages are in updates_testing.

SRPM
libvpx-1.5.0-3.1.mga6.src.rpm
RPMS
i586:
libvpx3-1.5.0-3.1.mga6.i586.rpm
libvpx-devel-1.5.0-3.1.mga6.i586.rpm
libvpx-utils-1.5.0-3.1.mga6.i586.rpm
x86-64:
lib64vpx3-1.5.0-3.1.mga6.x86_64.rpm
lib64vpx-devel-1.5.0-3.1.mga6.x86_64.rpm
libvpx-utils-1.5.0-3.1.mga6.x86_64.rpm
armv5:
libvpx3-1.5.0-3.1.mga6.armv5tl.rpm
libvpx-devel-1.5.0-3.1.mga6.armv5tl.rpm
libvpx-utils-1.5.0-3.1.mga6.armv5tl.rpm
armv7:
libvpx3-1.5.0-3.1.mga6.armv7hl.rpm
libvpx-devel-1.5.0-3.1.mga6.armv7hl.rpm
libvpx-utils-1.5.0-3.1.mga6.armv7hl.rpm
Comment 4 David Walser 2018-01-28 22:08:56 CET
Thanks Christiaan!  I backported your patch to Mageia 5 and fixed the Mageia 6 SPEC to put the subrel in the correct place.  Do you have a URL of a video that uses this?

Advisory:
========================

Updated libvpx packages fix security vulnerability:

A flaw was found in libvpx related to odd frame width, which may lead to a
denial of service (CVE-2017-13194).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13194
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K7IIUY6YMQMZRGUJWQTDO45UHYP4222K/
========================

Updated packages in core/updates_testing:
========================
libvpx1-1.3.0-3.2.mga5
libvpx-devel-1.3.0-3.2.mga5
libvpx-utils-1.3.0-3.2.mga5
libvpx3-1.5.0-3.1.mga6
libvpx-devel-1.5.0-3.1.mga6
libvpx-utils-1.5.0-3.1.mga6

from SRPMS:
libvpx-1.3.0-3.2.mga5.src.rpm
libvpx-1.5.0-3.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => MGA5TOO
Assignee: pkg-bugs => qa-bugs

Comment 5 Christiaan Welvaart 2018-01-28 23:26:16 CET
In chromium on cauldron and mga6, pretty much every recent youtube video plays in VP9+opus, but here are some random examples:
CRAY has something new:
https://www.youtube.com/watch?v=QAf6rOxLJL8
some dancing in LA:
https://www.youtube.com/watch?v=cvCrYFfUE4o

To check what kind of video(s) chromium is playing (youtube offers several formats):
chrome://media-internals
Comment 6 David Walser 2018-01-28 23:51:30 CET
Thanks again Christiaan.  I used the chrome://media-internals to find that another link a friend sent me yesterday was also using vpx:
https://www.youtube.com/watch?v=NswWvNf_0gU

Working fine on Mageia 5 x86_64.

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 7 Len Lawrence 2018-02-03 17:29:49 CET
Likewise for Mageia 6 :: x86_64

Installed chromium-browser and updated the vpx libraries.
Tried the suggested links and opened chrome://media-internals under another tab.  This kept track of all the videos played and showed that they were using the vp9/opus codecs.

OK for x86_64.

CC: (none) => tarazed25

Len Lawrence 2018-02-03 17:30:18 CET

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Len Lawrence 2018-02-05 23:19:13 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2018-02-06 05:37:56 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2018-02-06 07:26:52 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0112.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.