Fedora has issued an advisory today (June 16): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZXCI33HXH6YSOGC2LPE2REQLMIDH6US4/ Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOSee Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=28977
No obvious person to assign this 'aom' update to, so doing it globally.
Assignee: bugsquad => pkg-bugs
Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/ Note that this update will require rebuilding ffmpeg, gstreamer1.0-plugins-bad, and vlc.
Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO
I've got an update to ffmpeg 4.3.2 in Mageia 8 SVN, so if someone works on this, don't add a subrel to ffmpeg.
Hi, I was able to backport upstream patches for CVE-2021-3047[35]. aom-2.0.1-4.mga9 and aom-2.0.1-3.1.mga8 contain those patches. Do we really need to rebuild ffmpeg, gstreamer1.0-plugins-bad and vlc or can that bug be set to QA without rebuilding them? Best regards, Nico.
CC: (none) => nicolas.salguero
We really should update to 3.1.1 at least in Cauldron, to get all of the bug fixes, and that will require the rebuilds, but just backporting patches should allow us to avoid that for now.
RPMs list: aom-2.0.1-3.1.mga8 libaom2-2.0.1-3.1.mga8 libaom-devel-2.0.1-3.1.mga8 aom-extra-tools-2.0.1-3.1.mga8 from aom-2.0.1-3.1.mga8.src.rpm
Assigning to QA.
Assignee: pkg-bugs => qa-bugsCC: (none) => ouaurelien
Reminder to myself to update Cauldron.
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
mga8, x64 https://github.com/mozilla/aom Alliance for Open Media Video Codec /bin has these utilities: aomanalyzer aomdec aomenc Not enough help or any examples available to show how these are used. It is definitely developer country. The whatrequires list includes: gstreamer1.0-plugins-bad mythtv-plugin-* vlc-plugin-common The recursive listing is huge but it is not obvious how to determine which applications might actually use the library in practice. For instance, get_iplayer is listed, but running it under strace does not show any sign of aom involvement during download of a specified BBC programme. Slightly more success with parole. $ grep aom parole.trace stat("/usr/lib64/gstreamer-1.0/libgstaom.so", {st_mode=S_IFREG|0755, st_size=49320, ...}) = 0 read(16, "\0\0\0\0\250\300\0\0\0\0\0\0\317\324\330`\0\0\0\0\0\0\0\0\2\0\0\0aom\0"..., 1138) = 1138 Clean update of the four packages. $ strace -o parole.trace parole corelli.avi $ grep aom parole.trace stat("/usr/lib64/gstreamer-1.0/libgstaom.so", {st_mode=S_IFREG|0755, st_size=49320, ...}) = 0 That seems a bit feeble so this will have to go out on the basis of a clean update.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Len, there is a sample av1 file available for download at https://github.com/SPBTV/video_av1_samples/blob/master/spbtv_sample_bipbop_av1_960x540_25fps.mp4 I found some others at https://av1.webmfiles.org/ You could try downloading one or two of those and playing with vlc and/or parole. Perhaps that would invoke aom.
CC: (none) => andrewsfarm
Advisory: ======================== Updated aom packages fix security vulnerabilities: aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap (CVE-2021-30473). aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use-after-free (CVE-2021-30474). aom_dsp/noise_model.c in libaom in AOMedia before 2021-03-24 has a buffer overflow (CVE-2021-30475). References: - https://bugs.mageia.org/show_bug.cgi?id=29144 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30473 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30474 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30475 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZXCI33HXH6YSOGC2LPE2REQLMIDH6US4/ ======================== Updated packages in core/updates_testing: ======================== aom-2.0.1-3.1.mga8 lib(64)aom2-2.0.1-3.1.mga8 lib(64)aom-devel-2.0.1-3.1.mga8 aom-extra-tools-2.0.1-3.1.mga8 from aom-2.0.1-3.1.mga8.src.rpm
CVE: (none) => CVE-2021-3047[35]Keywords: (none) => advisory
Downloaded the file from the first link in Comment 10, and played it with both vlc and parole with no issues. The test videos from the link played from within Firefox rather than download, but Firefox is set to use vlc, so it should work as a test, too. They were fine. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
@TJ regarding comment 10. Thanks for the pointers - keeping them in mind for the next time. I also realized that I have been reading avi for av1 - hay fever and cataracts are affecting my vision these days.
You're not alone. My search for "av1 sample download" on DuckDuckGo resulted in about a third of the links pointing to avi files!
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0352.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Not sure how CVE-2021-30474 snuck in the advisory for this one, as we didn't address that with this update. Bug 29550 filed for that.