SUSE has issued an advisory today (October 12): https://lists.suse.com/pipermail/sle-security-updates/2021-October/009569.html
openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/S6VFR2SEGRR5ORYTWSFNBKWUUVDDXFEW/
Status comment: (none) => Patch available from upstreamCC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix a security vulnerability: aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use-after-free. (CVE-2021-30474) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30474 https://lists.suse.com/pipermail/sle-security-updates/2021-October/009569.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/S6VFR2SEGRR5ORYTWSFNBKWUUVDDXFEW/ ======================== Updated packages in core/updates_testing: ======================== aom-2.0.1-3.2.mga8 lib(64)aom2-2.0.1-3.2.mga8 lib(64)aom-devel-2.0.1-3.2.mga8 aom-extra-tools-2.0.1-3.2.mga8 from SRPM: aom-2.0.1-3.2.mga8.src.rpm
Assignee: bugsquad => qa-bugsCVE: (none) => CVE-2021-30474Status comment: Patch available from upstream => (none)Status: NEW => ASSIGNED
Permission denied on aom link from Mitre CVE issue.
CC: (none) => tarazed25
(In reply to Len Lawrence from comment #3) > Permission denied on aom link from Mitre CVE issue. Which link? https://aomedia.googlesource.com/aom/+/6e31957b6dc62dbc7d1bb70cd84902dd14c4bf2e opens ok here.
CC: (none) => davidwhodgins
mga8, x64 Updated the packages with qarepo. $ ls /usr/bin/aom* /usr/bin/aomanalyzer* /usr/bin/aomdec* /usr/bin/aomenc* $ urpmq --whatrequires lib64aom2 | uniq aom aom-extra-tools gstreamer1.0-plugins-bad lib64aom2 lib64avcodec58 lib64heif1 lib64myth31 lib64xine2 mythtv-plugin-archive mythtv-plugin-browser mythtv-plugin-game mythtv-plugin-music mythtv-plugin-netvision mythtv-plugin-news mythtv-plugin-weather mythtv-plugin-zoneminder vlc-plugin-common Ran a series of traces to look for usage of aom. $ strace -o parole.trace parole LammasTide.wav $ grep aom parole.trace stat("/usr/lib64/gstreamer-1.0/libgstaom.so", {st_mode=S_IFREG|0755, st_size=49432, ...}) = 0 $ strace -o vlc.trace vlc Corelli.....mkv $ grep aom vlc.trace stat("/usr/lib64/vlc/plugins/codec/libaom_plugin.so", {st_mode=S_IFREG|0755, st_size=19328, ...}) = 0 $ strace -o avi.trace parole corelli.avi $ grep aom avi.trace stat("/usr/lib64/gstreamer-1.0/libgstaom.so", {st_mode=S_IFREG|0755, st_size=49432, ...}) = 0 $ strace -o tv.trace vlc channels.xspf $ grep aom tv.trace stat("/usr/lib64/vlc/plugins/codec/libaom_plugin.so", {st_mode=S_IFREG|0755, st_size=19328, ...}) = 0 It looks like aom turns up on the plugin side for these applications. Taking that as confirmation of use. No help for aomanalyzer. $ aomanalyzer -h aomanalyzer: symbol lookup error: aomanalyzer: undefined symbol: _ZN12wxWindowBase29WXSetInitialFittingClientSizeEi, version WXU_3.1 The /usr/share/doc readme.md file is aimed at developers and development testing. $ aomenc --help Usage: aomenc <options> -o dst_filename src_filename The options confirm that these are developer tools which need background knowledge. Sending this on.
Whiteboard: (none) => MGA8-64-OK
@Dave in reply to comment 4: https://bugs.chromium.org/p/aomedia/issues/detail?id=3000 Probably need an account for the project.
(In reply to Len Lawrence from comment #6) > @Dave in reply to comment 4: > https://bugs.chromium.org/p/aomedia/issues/detail?id=3000 > > Probably need an account for the project. Looks like it. When I try the link, I get "permission denied" too, but then it diverts to a Google accounts login screen. I left. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0482.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED