SUSE has issued an advisory today (December 23): https://lists.suse.com/pipermail/sle-security-updates/2021-December/009940.html Since they patched 1.0.0, I wonder if there's also more CVEs that affected 2.0.1 that didn't affect 1.0.0. Anyway, the issues were patched upstream 11-12 months ago.
CC: (none) => nicolas.salguero
openSUSE has issued an advisory for this today (December 23): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3CU5I3APCIYTJ5MCNA4TTKLC2PLKDGKU/
Status comment: (none) => Patches available from upstream and openSUSE
No evident maintainer for this SRPM, but DavidW already CC'd NicolasS, who did the last CVE updates; so assigning correspondingly.
CC: nicolas.salguero => (none)Assignee: bugsquad => nicolas.salguero
Suggested advisory: ======================== The updated packages fix security vulnerabilities: AOM v2.0.1 was discovered to contain a stack buffer overflow via the component src/aom_image.c. (CVE-2020-36129) AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component av1/av1_dx_iface.c. (CVE-2020-36130) AOM v2.0.1 was discovered to contain a stack buffer overflow via the component stats/rate_hist.c. (CVE-2020-36131) AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component rate_hist.c. (CVE-2020-36135) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36129 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36130 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36131 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36135 https://lists.suse.com/pipermail/sle-security-updates/2021-December/009940.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3CU5I3APCIYTJ5MCNA4TTKLC2PLKDGKU/ ======================== Updated packages in core/updates_testing: ======================== aom-extra-tools-2.0.1-3.3.mga8 aom-2.0.1-3.3.mga8 lib(64)aom2-2.0.1-3.3.mga8 lib(64)aom-devel-2.0.1-3.3.mga8 from SRPM: aom-2.0.1-3.3.mga8.src.rpm
Assignee: nicolas.salguero => qa-bugsStatus: NEW => ASSIGNEDStatus comment: Patches available from upstream and openSUSE => (none)
CVE-2020-3613[34] do exist and also affect 2.0.1. CVE-2020-36132 is reserved so I'm not sure about that one.
Keywords: (none) => feedback
After looking at the code, I found that CVE-2020-36133 also affects our package but not CVE-2020-36134 (the problematic code was not introduced yet). Suggested advisory: ======================== The updated packages fix security vulnerabilities: AOM v2.0.1 was discovered to contain a stack buffer overflow via the component src/aom_image.c. (CVE-2020-36129) AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component av1/av1_dx_iface.c. (CVE-2020-36130) AOM v2.0.1 was discovered to contain a stack buffer overflow via the component stats/rate_hist.c. (CVE-2020-36131) AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component rate_hist.c. (CVE-2020-36135) AOM v2.0.1 was discovered to contain a global buffer overflow via the component av1/encoder/partition_search.h. (CVE-2020-36133) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36129 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36130 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36131 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36135 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36133 https://lists.suse.com/pipermail/sle-security-updates/2021-December/009940.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3CU5I3APCIYTJ5MCNA4TTKLC2PLKDGKU/ ======================== Updated packages in core/updates_testing: ======================== aom-extra-tools-2.0.1-3.4.mga8 aom-2.0.1-3.4.mga8 lib(64)aom2-2.0.1-3.4.mga8 lib(64)aom-devel-2.0.1-3.4.mga8 from SRPM: aom-2.0.1-3.4.mga8.src.rpm
Summary: aom new security issues CVE-2020-36129 and CVE-2020-3613[015] => aom new security issues CVE-2020-36129 and CVE-2020-3613[0135]Keywords: feedback => (none)
(In reply to Nicolas Salguero from comment #5) > package but not CVE-2020-36134 (the problematic code was not introduced yet). How is that possible? We have 2.0.1, which is what the CVE description says.
It seems we have a development version. Either the snapshot dates before rc1 or the offending code and the solution were completely removed at the time the version 2.0.1 was released.
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues: At CLI: $ aomanalyzer noor20112008.11.21_10-44-30.avi aomanalyzer: symbol lookup error: aomanalyzer: undefined symbol: _ZN12wxWindowBase29WXSetInitialFittingClientSizeEi, version WXU_3.1
CC: (none) => herman.viaene
Ouch. The wx update in updates_testing needs to be removed and this needs to be rebuilt.
CC: (none) => sysadmin-bugs
Mageia 8 X64 Gnome No installation issue. $aomdec --help Usage: aomdec <options> filename Options: --help Show usage options and exit --codec=<arg> Codec to use --yv12 Output raw YV12 frames --i420 Output raw I420 frames --flipuv Flip the chroma planes in the output --rawvideo Output raw YUV frames --noblit Don't process the decoded frames --progress Show progress after each frame decodes --limit=<arg> Stop decoding after n frames --skip=<arg> Skip the first n input frames --summary Show timing summary aomdec seems to be the cli command.
CC: (none) => hdetavernier
It looks like Jani is still trying to push the broken wxgtk update, so I'll let him comment on the status of that.
CC: (none) => jani.valimaa
Depends on: (none) => 29848
$ rpm -qa aom-extra-tools aom-extra-tools-2.0.1-3.2.mga8 $ rpm -qa wxgtk3.1 wxgtk3.1-3.1.5-0.git20201230.1.mga8 $ aomanalyzer aomanalyzer: symbol lookup error: aomanalyzer: undefined symbol: _ZN12wxWindowBase29WXSetInitialFittingClientSizeEi, version WXU_3.1
$ rpm -qa aom-extra-tools aom-extra-tools-2.0.1-3.5.mga8 $ rpm -qa wxgtk3.1 wxgtk3.1-3.1.5-1.mga8 aomanalyzer starts without symbol lookup error.
Package list is now: libaom2-2.0.1-3.5.mga8 libaom-devel-2.0.1-3.5.mga8 aom-2.0.1-3.5.mga8 aom-extra-tools-2.0.1-3.5.mga8 from aom-2.0.1-3.5.mga8.src.rpm
Installing rpm's from Comment 14, plus wxgtk3 from Comment 13 so $ rpm -qa wxgtk3.1 wxgtk3.1-3.1.5-1.mga8 but still $ aomanalyzer noor20112008.11.21_10-44-30.avi aomanalyzer: symbol lookup error: aomanalyzer: undefined symbol: _ZN12wxWindowBase29WXSetInitialFittingClientSizeEi, version WXU_3.
(In reply to Herman Viaene from comment #15) > Installing rpm's from Comment 14, plus wxgtk3 from Comment 13 > so > $ rpm -qa wxgtk3.1 > wxgtk3.1-3.1.5-1.mga8 > but still > $ aomanalyzer noor20112008.11.21_10-44-30.avi > aomanalyzer: symbol lookup error: aomanalyzer: undefined symbol: > _ZN12wxWindowBase29WXSetInitialFittingClientSizeEi, version WXU_3. You need to update wxgtk libs also to 3.1.5-1.mga. At least the following ones, required by aom-extra-tools: lib(64)wx_baseu3.1_5 lib(64)wx_gtk3u_core3.1_5
If these are needed, why aren't they dependencies. It cann't be that someone (like I did) installs aom for the first time, has to chase those required packages manually???
They are and will be pulled automatic when urpmi --auto-u or --auto-s is used and all media is up to date. If one installs updates by hand specifying only pkgs one wants, they're not installed as old pkgs satify dependencies.
(In reply to Jani Välimaa from comment #18) > They are and will be pulled automatic when urpmi --auto-u or --auto-s is > used and all media is up to date. > > If one installs updates by hand specifying only pkgs one wants, they're not > installed as old pkgs satify dependencies. And of course in ideal world bug 29848 is already fixed and all needed deps are available in core/updates and installed before pkgs from this bug are installed.
The rpm's mentioned in Comment 16 aren't yet in testing repo? I get: l ib64wx_baseu3.1_5 not found in the remote repository lib64wx_gtk3u_core3.1_5 not found in the remote repository
Got the correct rpm names from bug 29291. Installed those, and then found out I fell in the same trap as Len in bug 29144 mistakinng avi for av1. The files pointed to in bug 29144 play OK, but I wanted to see something on the CLI: $ aomanalyzer opens a small window with tree menu items. File - Open only let me choose .ivf files. Looked in google for a sample (making sure not to get into fertility ....) and found one at https://github.com/webmproject/vp9-dash/blob/master/DASH-Samples/Fountain_2997_3000kbps_1280x720_1x1PAR.ivf That file plays OK on vlc player, so it should be OK, but when I open it in aomanalyzer, I get: Unknown input codec.Unknown input codec.Failed to decode frame.Segmentation fault (dump made). In view of the first tests as in bug 29144, it could be OK, but I don't kknow what to make of this "Segmentation fault"
64-bit with all wxgtk libs updated re bug 29848: UPDATED: aom-2.0.1-3.5.mga8 aom-extra-tools-2.0.1-3.5.mga8 lib64aom2-2.0.1-3.5.mga8 $ /usr/bin/aomanalyzer pops a reactive window. $ /usr/bin/aomdec --help shows correct help; it does nothing 'bare'. No GUI. Usage: /usr/bin/aomdec <options> filename $ /usr/bin/aomenc --help shows correct help; it does nothing 'bare'. No GUI. Usage: /usr/bin/aomenc <options> -o dst_filename src_filename Judging this OK for the mass wxgtk update. Except it is not included specifically in that, just cross-referred here. Does this need itw own advisory?
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => davidwhodgins, lewyssmith
Yes, aom is a security update and will be pushed through this bug with its own advisory.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0040.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED