Bug 29144 - aom new security issues CVE-2021-3047[35]
Summary: aom new security issues CVE-2021-3047[35]
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2021-06-16 19:42 CEST by David Walser
Modified: 2021-10-12 23:17 CEST (History)
5 users (show)

See Also:
Source RPM: aom-2.0.1-3.mga8.src.rpm
CVE: CVE-2021-3047[35]
Status comment:


Description David Walser 2021-06-16 19:42:15 CEST
Fedora has issued an advisory today (June 16):

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-06-16 19:42:44 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=28977

Comment 1 Lewis Smith 2021-06-17 21:05:30 CEST
No obvious person to assign this 'aom' update to, so doing it globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-07-01 18:58:23 CEST
Removing Mageia 7 from whiteboard due to EOL:

Note that this update will require rebuilding ffmpeg, gstreamer1.0-plugins-bad, and vlc.

Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Comment 3 David Walser 2021-07-06 01:26:32 CEST
I've got an update to ffmpeg 4.3.2 in Mageia 8 SVN, so if someone works on this, don't add a subrel to ffmpeg.
Comment 4 Nicolas Salguero 2021-07-06 11:24:03 CEST

I was able to backport upstream patches for CVE-2021-3047[35].  aom-2.0.1-4.mga9 and aom-2.0.1-3.1.mga8 contain those patches.

Do we really need to rebuild ffmpeg, gstreamer1.0-plugins-bad and vlc or can that bug be set to QA without rebuilding them?

Best regards,


CC: (none) => nicolas.salguero

Comment 5 David Walser 2021-07-06 14:46:04 CEST
We really should update to 3.1.1 at least in Cauldron, to get all of the bug fixes, and that will require the rebuilds, but just backporting patches should allow us to avoid that for now.
Comment 6 David Walser 2021-07-06 15:36:34 CEST
RPMs list:

from aom-2.0.1-3.1.mga8.src.rpm
Comment 7 Aurelien Oudelet 2021-07-13 22:42:52 CEST
Assigning to QA.

Assignee: pkg-bugs => qa-bugs
CC: (none) => ouaurelien

Comment 8 David Walser 2021-07-13 22:44:25 CEST
Reminder to myself to update Cauldron.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 9 Len Lawrence 2021-07-14 21:27:34 CEST
mga8, x64

Alliance for Open Media Video Codec

/bin has these utilities:
aomanalyzer  aomdec  aomenc

Not enough help or any examples available to show how these are used.  It is definitely developer country.

The whatrequires list includes:

The recursive listing is huge but it is not obvious how to determine which applications might actually use the library in practice.  For instance, get_iplayer is listed, but running it under strace does not show any sign of aom involvement during download of a specified BBC programme.

Slightly more success with parole.
$ grep aom parole.trace
stat("/usr/lib64/gstreamer-1.0/libgstaom.so", {st_mode=S_IFREG|0755, st_size=49320, ...}) = 0
read(16, "\0\0\0\0\250\300\0\0\0\0\0\0\317\324\330`\0\0\0\0\0\0\0\0\2\0\0\0aom\0"..., 1138) = 1138

Clean update of the four packages.
$ strace -o parole.trace parole corelli.avi
$ grep aom parole.trace
stat("/usr/lib64/gstreamer-1.0/libgstaom.so", {st_mode=S_IFREG|0755, st_size=49320, ...}) = 0

That seems a bit feeble so this will have to go out on the basis of a clean update.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 10 Thomas Andrews 2021-07-15 16:34:31 CEST
Len, there is a sample av1 file available for download at https://github.com/SPBTV/video_av1_samples/blob/master/spbtv_sample_bipbop_av1_960x540_25fps.mp4

I found some others at https://av1.webmfiles.org/

You could try downloading one or two of those and playing with vlc and/or parole. Perhaps that would invoke aom.

CC: (none) => andrewsfarm

Comment 11 Aurelien Oudelet 2021-07-15 22:13:28 CEST

Updated aom packages fix security vulnerabilities:

aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap (CVE-2021-30473).

aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use-after-free (CVE-2021-30474).

aom_dsp/noise_model.c in libaom in AOMedia before 2021-03-24 has a buffer overflow (CVE-2021-30475).

 - https://bugs.mageia.org/show_bug.cgi?id=29144
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30473
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30474
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30475
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZXCI33HXH6YSOGC2LPE2REQLMIDH6US4/

Updated packages in core/updates_testing:

from aom-2.0.1-3.1.mga8.src.rpm

CVE: (none) => CVE-2021-3047[35]
Keywords: (none) => advisory

Comment 12 Thomas Andrews 2021-07-15 22:35:06 CEST
Downloaded the file from the first link in Comment 10, and played it with both vlc and parole with no issues. The test videos from the link played from within Firefox rather than download, but Firefox is set to use vlc, so it should work as a test, too. They were fine.


Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 Len Lawrence 2021-07-16 00:53:04 CEST
@TJ regarding comment 10.
Thanks for the pointers - keeping them in mind for the next time.  I also realized that I have been reading avi for av1 - hay fever and cataracts are affecting my vision these days.
Comment 14 Thomas Andrews 2021-07-16 01:41:39 CEST
You're not alone. My search for "av1 sample download" on DuckDuckGo resulted in about a third of the links pointing to avi files!
Comment 15 Mageia Robot 2021-07-16 10:26:41 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Comment 16 David Walser 2021-10-12 23:17:42 CEST
Not sure how CVE-2021-30474 snuck in the advisory for this one, as we didn't address that with this update.  Bug 29550 filed for that.

Note You need to log in before you can comment on or make changes to this bug.