Debian has issued an advisory on November 28: https://www.debian.org/security/2019/dsa-4578 This issue was fixed between 1.8.0 and 1.8.1 in this commit: https://github.com/webmproject/libvpx/commit/34d54b04e98dd0bac32e9aab0fbda0bf501bc742 We should probably just update to 1.8.1.
Ubuntu has issued an advisory for this on November 25: https://usn.ubuntu.com/4199-1/ They also identified this commit as fixing a security issue between 1.8.0 and 1.8.1: https://github.com/webmproject/libvpx/commit/6a7c84a2449dcc70de2525df209afea908622399
Summary: libvpx new security issue CVE-2019-9371 => libvpx new security issues CVE-2019-2126 and CVE-2019-9371
Assigning to Christiaan, CC DavidG, as the most recent active maintainers.
Assignee: bugsquad => cjwCC: (none) => geiger.david68210
Done for mga7!
Advisory: ======================== Updated libvpx packages fix security vulnerabilities: It was discovered that libvpx did not properly handle certain malformed WebM media files. If an application using libvpx opened a specially crafted WebM file, a remote attacker could cause a denial of service, or possibly execute arbitrary code (CVE-2019-2126, CVE-2019-9371). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2126 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9371 https://usn.ubuntu.com/4199-1/ ======================== Updated packages in core/updates_testing: ======================== libvpx6-1.8.1-1.mga7 libvpx-devel-1.8.1-1.mga7 libvpx-utils-1.8.1-1.mga7 from libvpx-1.8.1-1.mga7.src.rpm
Assignee: cjw => qa-bugs
Installed and tested without issues. Tests: - Play various VP8/9 files using mplayer; - Decode and encode a VP8 file and VP9 file using ffmpeg and the libvpx-utils, then check the results with mplayer. System: Mageia 7, x86_64, Plasma DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 5.3.13-desktop-2.mga7 #1 SMP Mon Nov 25 20:30:40 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep vpx libvpx-utils-1.8.1-1.mga7 lib64vpx6-1.8.1-1.mga7 $ strace -o mplayer.log mplayer source.webm MPlayer 1.4-1.mga7.tainted-8.3.1 (C) 2000-2019 MPlayer Team do_connect: could not connect to socket connect: No such file or directory Failed to open LIRC support. You will not be able to use your remote control. Playing source.webm. libavformat version 58.20.100 (external) libavformat file format detected. [lavf] stream 0: video (vp9), -vid 0 [lavf] stream 1: audio (opus), -aid 0, -alang eng VIDEO: [VP90] 1920x1080 0bpp 23.957 fps 0.0 kbps ( 0.0 kbyte/s) ========================================================================== Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family libavcodec version 58.35.100 (external) Selected video codec: [ffvp9] vfm: ffmpeg (FFmpeg VP9) ========================================================================== <SNIP> $ grep -i /libvpx mplayer.log openat(AT_FDCWD, "/lib64/libvpx.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libvpx.so.6.1.0", O_RDONLY) = 3 $ strace -o ffmpeg.log ffmpeg -c:v libvpx-vp9 -i source.webm -c:v libvpx-vp9 -b:v 2M test.webm ffmpeg version 4.1.4 Copyright (c) 2000-2019 the FFmpeg developers built with gcc 8.3.1 (Mageia 8.3.1-0.20190524.1.mga7) 20190524 configuration: --prefix=/usr --enable-shared --enable-pic --libdir=/usr/lib64 --shlibdir=/usr/lib64 --incdir=/usr/include --disable-stripping --enable-postproc --enable-gpl --enable-pthreads --enable-libtheora --enable-libvorbis --disable-encoder=vorbis --enable-libvpx --enable-runtime-cpudetect --enable-libaom --enable-libdc1394 --enable-librtmp --enable-libspeex --enable-libfreetype --enable-libgsm --enable-libcelt --enable-libopus --enable-libopencv --enable-libopenjpeg --enable-libtwolame --enable-libxavs --enable-frei0r --enable-libmodplug --enable-libass --enable-gnutls --enable-libcdio --enable-libpulse --enable-libv4l2 --enable-avresample --enable-opencl --enable-libmp3lame --enable-sndio --enable-libdav1d --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-version3 --enable-libx264 --enable-libx265 --enable-libvo-amrwbenc --enable-libxvid libavutil 56. 22.100 / 56. 22.100 libavcodec 58. 35.100 / 58. 35.100 libavformat 58. 20.100 / 58. 20.100 libavdevice 58. 5.100 / 58. 5.100 libavfilter 7. 40.101 / 7. 40.101 libavresample 4. 0. 0 / 4. 0. 0 libswscale 5. 3.100 / 5. 3.100 libswresample 3. 3.100 / 3. 3.100 libpostproc 55. 3.100 / 55. 3.100 [libvpx-vp9 @ 0xc34880] v1.8.1 Input #0, matroska,webm, from 'source.webm': Metadata: encoder : Lavf57.71.100 Duration: 00:02:43.36, start: -0.007000, bitrate: 1593 kb/s Stream #0:0(eng): Video: vp9 (Profile 0), yuv420p(tv, bt709), 1920x1080, SAR 1:1 DAR 16:9, 23.96 fps, 23.96 tbr, 1k tbn, 1k tbc (default) Stream #0:1(eng): Audio: opus, 48000 Hz, stereo, fltp (default) File 'test.webm' already exists. Overwrite ? [y/N] y [libvpx-vp9 @ 0xc38340] v1.8.1 Stream mapping: Stream #0:0 -> #0:0 (vp9 (libvpx-vp9) -> vp9 (libvpx-vp9)) Stream #0:1 -> #0:1 (opus (native) -> opus (libopus)) Press [q] to stop, [?] for help [libopus @ 0xc6e600] No bit rate set. Defaulting to 96000 bps. [libvpx-vp9 @ 0xc6ce80] v1.8.1 Output #0, webm, to 'test.webm': Metadata: encoder : Lavf58.20.100 Stream #0:0(eng): Video: vp9 (libvpx-vp9), yuv420p, 1920x1080 [SAR 1:1 DAR 16:9], q=-1--1, 2000 kb/s, 23.96 fps, 1k tbn, 23.96 tbc (default) Metadata: encoder : Lavc58.35.100 libvpx-vp9 Side data: cpb: bitrate max/min/avg: 0/0/0 buffer size: 0 vbv_delay: -1 Stream #0:1(eng): Audio: opus (libopus), 48000 Hz, stereo, flt, 96 kb/s (default) Metadata: encoder : Lavc58.35.100 libopus frame= 3913 fps=2.6 q=0.0 Lsize= 49769kB time=00:02:43.35 bitrate=2495.9kbits/s speed=0.107x video:47597kB audio:2087kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: 0.172614% $ grep -i /libvpx ffmpeg.log openat(AT_FDCWD, "/lib64/libvpx.so.6", O_RDONLY|O_CLOEXEC) = 3
Whiteboard: (none) => MGA7-64-OKCC: (none) => mageia
Keywords: (none) => advisory, validated_updateCC: (none) => tmb, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0369.html
Status: NEW => RESOLVEDResolution: (none) => FIXED