Bug 29550 - aom new security issue CVE-2021-30474
Summary: aom new security issue CVE-2021-30474
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2021-10-12 23:17 CEST by David Walser
Modified: 2021-10-14 22:23 CEST (History)
5 users (show)

See Also:
Source RPM: aom-2.0.1-3.1.mga8.src.rpm
CVE: CVE-2021-30474
Status comment:


Attachments

Description David Walser 2021-10-12 23:17:19 CEST
SUSE has issued an advisory today (October 12):
https://lists.suse.com/pipermail/sle-security-updates/2021-October/009569.html
Comment 1 David Walser 2021-10-12 23:26:39 CEST
openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/S6VFR2SEGRR5ORYTWSFNBKWUUVDDXFEW/

CC: (none) => nicolas.salguero
Status comment: (none) => Patch available from upstream

Comment 2 Nicolas Salguero 2021-10-13 12:24:41 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use-after-free. (CVE-2021-30474)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30474
https://lists.suse.com/pipermail/sle-security-updates/2021-October/009569.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/S6VFR2SEGRR5ORYTWSFNBKWUUVDDXFEW/
========================

Updated packages in core/updates_testing:
========================
aom-2.0.1-3.2.mga8
lib(64)aom2-2.0.1-3.2.mga8
lib(64)aom-devel-2.0.1-3.2.mga8
aom-extra-tools-2.0.1-3.2.mga8

from SRPM:
aom-2.0.1-3.2.mga8.src.rpm

Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED
Status comment: Patch available from upstream => (none)
CVE: (none) => CVE-2021-30474

Comment 3 Len Lawrence 2021-10-13 12:45:00 CEST
Permission denied on aom link from Mitre CVE issue.

CC: (none) => tarazed25

Comment 4 Dave Hodgins 2021-10-13 17:53:32 CEST
(In reply to Len Lawrence from comment #3)
> Permission denied on aom link from Mitre CVE issue.

Which link?
https://aomedia.googlesource.com/aom/+/6e31957b6dc62dbc7d1bb70cd84902dd14c4bf2e
opens ok here.

CC: (none) => davidwhodgins

Comment 5 Len Lawrence 2021-10-13 18:07:57 CEST
mga8, x64

Updated the packages with qarepo.
$ ls /usr/bin/aom*
/usr/bin/aomanalyzer*  /usr/bin/aomdec*  /usr/bin/aomenc*

$ urpmq --whatrequires lib64aom2 | uniq
aom
aom-extra-tools
gstreamer1.0-plugins-bad
lib64aom2
lib64avcodec58
lib64heif1
lib64myth31
lib64xine2
mythtv-plugin-archive
mythtv-plugin-browser
mythtv-plugin-game
mythtv-plugin-music
mythtv-plugin-netvision
mythtv-plugin-news
mythtv-plugin-weather
mythtv-plugin-zoneminder
vlc-plugin-common

Ran a series of traces to look for usage of aom.
$ strace -o parole.trace parole LammasTide.wav
$ grep aom parole.trace
stat("/usr/lib64/gstreamer-1.0/libgstaom.so", {st_mode=S_IFREG|0755, st_size=49432, ...}) = 0
$ strace -o vlc.trace vlc Corelli.....mkv
$ grep aom vlc.trace
stat("/usr/lib64/vlc/plugins/codec/libaom_plugin.so", {st_mode=S_IFREG|0755, st_size=19328, ...}) = 0
$ strace -o avi.trace parole corelli.avi
$ grep aom avi.trace
stat("/usr/lib64/gstreamer-1.0/libgstaom.so", {st_mode=S_IFREG|0755, st_size=49432, ...}) = 0
$ strace -o tv.trace vlc channels.xspf
$ grep aom tv.trace
stat("/usr/lib64/vlc/plugins/codec/libaom_plugin.so", {st_mode=S_IFREG|0755, st_size=19328, ...}) = 0

It looks like aom turns up on the plugin side for these applications.  Taking that as confirmation of use.

No help for aomanalyzer.
$ aomanalyzer -h
aomanalyzer: symbol lookup error: aomanalyzer: undefined symbol: _ZN12wxWindowBase29WXSetInitialFittingClientSizeEi, version WXU_3.1

The /usr/share/doc readme.md file is aimed at developers and development testing.
$ aomenc --help
Usage: aomenc <options> -o dst_filename src_filename 

The options confirm that these are developer tools which need background knowledge.
Sending this on.

Whiteboard: (none) => MGA8-64-OK

Comment 6 Len Lawrence 2021-10-13 18:11:15 CEST
@Dave in reply to comment 4:
https://bugs.chromium.org/p/aomedia/issues/detail?id=3000

Probably need an account for the project.
Comment 7 Thomas Andrews 2021-10-14 22:23:08 CEST
(In reply to Len Lawrence from comment #6)
> @Dave in reply to comment 4:
> https://bugs.chromium.org/p/aomedia/issues/detail?id=3000
> 
> Probably need an account for the project.

Looks like it. When I try the link, I get "permission denied" too, but then it diverts to a Google accounts login screen. I left.

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs


Note You need to log in before you can comment on or make changes to this bug.