Bug 29808 - aom new security issues CVE-2020-36129 and CVE-2020-3613[0135]
Summary: aom new security issues CVE-2020-36129 and CVE-2020-3613[0135]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on: 29848
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-23 17:52 CET by David Walser
Modified: 2022-01-27 23:28 CET (History)
7 users (show)

See Also:
Source RPM: aom-2.0.1-3.2.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-12-23 17:52:35 CET
SUSE has issued an advisory today (December 23):
https://lists.suse.com/pipermail/sle-security-updates/2021-December/009940.html

Since they patched 1.0.0, I wonder if there's also more CVEs that affected 2.0.1 that didn't affect 1.0.0.  Anyway, the issues were patched upstream 11-12 months ago.
David Walser 2021-12-23 17:53:05 CET

CC: (none) => nicolas.salguero

Comment 1 David Walser 2021-12-23 17:58:26 CET
openSUSE has issued an advisory for this today (December 23):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3CU5I3APCIYTJ5MCNA4TTKLC2PLKDGKU/

Status comment: (none) => Patches available from upstream and openSUSE

Comment 2 Lewis Smith 2021-12-23 20:31:44 CET
No evident maintainer for this SRPM, but DavidW already CC'd NicolasS, who did the last CVE updates; so assigning correspondingly.

CC: nicolas.salguero => (none)
Assignee: bugsquad => nicolas.salguero

Comment 3 Nicolas Salguero 2021-12-24 14:39:59 CET
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

AOM v2.0.1 was discovered to contain a stack buffer overflow via the component src/aom_image.c. (CVE-2020-36129)

AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component av1/av1_dx_iface.c. (CVE-2020-36130)

AOM v2.0.1 was discovered to contain a stack buffer overflow via the component stats/rate_hist.c. (CVE-2020-36131)

AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component rate_hist.c. (CVE-2020-36135)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36131
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36135
https://lists.suse.com/pipermail/sle-security-updates/2021-December/009940.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3CU5I3APCIYTJ5MCNA4TTKLC2PLKDGKU/
========================

Updated packages in core/updates_testing:
========================
aom-extra-tools-2.0.1-3.3.mga8
aom-2.0.1-3.3.mga8
lib(64)aom2-2.0.1-3.3.mga8
lib(64)aom-devel-2.0.1-3.3.mga8

from SRPM:
aom-2.0.1-3.3.mga8.src.rpm

Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED
Status comment: Patches available from upstream and openSUSE => (none)

David Walser 2021-12-24 14:49:33 CET

CC: (none) => nicolas.salguero

Comment 4 David Walser 2021-12-24 14:51:01 CET
CVE-2020-3613[34] do exist and also affect 2.0.1.  CVE-2020-36132 is reserved so I'm not sure about that one.

Keywords: (none) => feedback

Comment 5 Nicolas Salguero 2021-12-27 15:32:37 CET
After looking at the code, I found that CVE-2020-36133 also affects our package but not CVE-2020-36134 (the problematic code was not introduced yet).

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

AOM v2.0.1 was discovered to contain a stack buffer overflow via the component src/aom_image.c. (CVE-2020-36129)

AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component av1/av1_dx_iface.c. (CVE-2020-36130)

AOM v2.0.1 was discovered to contain a stack buffer overflow via the component stats/rate_hist.c. (CVE-2020-36131)

AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component rate_hist.c. (CVE-2020-36135)

AOM v2.0.1 was discovered to contain a global buffer overflow via the component av1/encoder/partition_search.h. (CVE-2020-36133)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36131
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36135
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36133
https://lists.suse.com/pipermail/sle-security-updates/2021-December/009940.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3CU5I3APCIYTJ5MCNA4TTKLC2PLKDGKU/
========================

Updated packages in core/updates_testing:
========================
aom-extra-tools-2.0.1-3.4.mga8
aom-2.0.1-3.4.mga8
lib(64)aom2-2.0.1-3.4.mga8
lib(64)aom-devel-2.0.1-3.4.mga8

from SRPM:
aom-2.0.1-3.4.mga8.src.rpm

Summary: aom new security issues CVE-2020-36129 and CVE-2020-3613[015] => aom new security issues CVE-2020-36129 and CVE-2020-3613[0135]
Keywords: feedback => (none)

Comment 6 David Walser 2021-12-27 15:43:09 CET
(In reply to Nicolas Salguero from comment #5)
> package but not CVE-2020-36134 (the problematic code was not introduced yet).

How is that possible?  We have 2.0.1, which is what the CVE description says.
Comment 7 Nicolas Salguero 2021-12-27 15:53:46 CET
It seems we have a development version.  Either the snapshot dates before rc1 or the offending code and the solution were completely removed at the time the version 2.0.1 was released.
Comment 8 Herman Viaene 2021-12-28 11:57:24 CET
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues:
At CLI:
$ aomanalyzer noor20112008.11.21_10-44-30.avi 
aomanalyzer: symbol lookup error: aomanalyzer: undefined symbol: _ZN12wxWindowBase29WXSetInitialFittingClientSizeEi, version WXU_3.1

CC: (none) => herman.viaene

Comment 9 David Walser 2021-12-28 16:07:24 CET
Ouch.  The wx update in updates_testing needs to be removed and this needs to be rebuilt.

CC: (none) => sysadmin-bugs

Comment 10 Hugues Detavernier 2021-12-30 10:24:02 CET
Mageia 8 X64 Gnome

No installation issue.

$aomdec --help
Usage: aomdec <options> filename

Options:
            --help                     	Show usage options and exit
            --codec=<arg>              	Codec to use
            --yv12                     	Output raw YV12 frames
            --i420                     	Output raw I420 frames
            --flipuv                   	Flip the chroma planes in the output
            --rawvideo                 	Output raw YUV frames
            --noblit                   	Don't process the decoded frames
            --progress                 	Show progress after each frame decodes
            --limit=<arg>              	Stop decoding after n frames
            --skip=<arg>               	Skip the first n input frames
            --summary                  	Show timing summary

aomdec seems to be the cli command.

CC: (none) => hdetavernier

Comment 11 David Walser 2022-01-05 18:22:14 CET
It looks like Jani is still trying to push the broken wxgtk update, so I'll let him comment on the status of that.

CC: (none) => jani.valimaa

David Walser 2022-01-05 23:30:26 CET

Depends on: (none) => 29848

Comment 12 Jani Välimaa 2022-01-06 08:49:15 CET
$ rpm -qa aom-extra-tools
aom-extra-tools-2.0.1-3.2.mga8

$ rpm -qa wxgtk3.1
wxgtk3.1-3.1.5-0.git20201230.1.mga8

$ aomanalyzer 
aomanalyzer: symbol lookup error: aomanalyzer: undefined symbol: _ZN12wxWindowBase29WXSetInitialFittingClientSizeEi, version WXU_3.1
Comment 13 Jani Välimaa 2022-01-06 08:52:20 CET
$ rpm -qa aom-extra-tools
aom-extra-tools-2.0.1-3.5.mga8

$ rpm -qa wxgtk3.1
wxgtk3.1-3.1.5-1.mga8

aomanalyzer starts without symbol lookup error.
Comment 14 David Walser 2022-01-06 18:51:53 CET
Package list is now:
libaom2-2.0.1-3.5.mga8
libaom-devel-2.0.1-3.5.mga8
aom-2.0.1-3.5.mga8
aom-extra-tools-2.0.1-3.5.mga8

from aom-2.0.1-3.5.mga8.src.rpm
Comment 15 Herman Viaene 2022-01-07 14:10:12 CET
Installing rpm's from Comment 14, plus wxgtk3 from Comment 13
so
$ rpm -qa wxgtk3.1
wxgtk3.1-3.1.5-1.mga8
but still
$ aomanalyzer noor20112008.11.21_10-44-30.avi
aomanalyzer: symbol lookup error: aomanalyzer: undefined symbol: _ZN12wxWindowBase29WXSetInitialFittingClientSizeEi, version WXU_3.
Comment 16 Jani Välimaa 2022-01-07 16:57:04 CET
(In reply to Herman Viaene from comment #15)
> Installing rpm's from Comment 14, plus wxgtk3 from Comment 13
> so
> $ rpm -qa wxgtk3.1
> wxgtk3.1-3.1.5-1.mga8
> but still
> $ aomanalyzer noor20112008.11.21_10-44-30.avi
> aomanalyzer: symbol lookup error: aomanalyzer: undefined symbol:
> _ZN12wxWindowBase29WXSetInitialFittingClientSizeEi, version WXU_3.

You need to update wxgtk libs also to 3.1.5-1.mga. At least the following ones, required by aom-extra-tools:
lib(64)wx_baseu3.1_5
lib(64)wx_gtk3u_core3.1_5
Comment 17 Herman Viaene 2022-01-07 17:07:23 CET
If these are needed, why aren't they dependencies. It cann't be that someone (like I did) installs aom for the first time, has to chase those required packages manually???
Comment 18 Jani Välimaa 2022-01-07 17:28:23 CET
They are and will be pulled automatic when urpmi --auto-u or --auto-s is used and all media is up to date.

If one installs updates by hand specifying only pkgs one wants, they're not installed as old pkgs satify dependencies.
Comment 19 Jani Välimaa 2022-01-07 17:39:33 CET
(In reply to Jani Välimaa from comment #18)
> They are and will be pulled automatic when urpmi --auto-u or --auto-s is
> used and all media is up to date.
> 
> If one installs updates by hand specifying only pkgs one wants, they're not
> installed as old pkgs satify dependencies.

And of course in ideal world bug 29848 is already fixed and all needed deps are available in core/updates and installed before pkgs from this bug are installed.
Comment 20 Herman Viaene 2022-01-08 10:54:47 CET
The rpm's mentioned in Comment 16 aren't yet in testing repo?
I get: l
ib64wx_baseu3.1_5 not found in the remote repository
lib64wx_gtk3u_core3.1_5 not found in the remote repository
Comment 21 Herman Viaene 2022-01-08 11:35:38 CET
Got the correct rpm names from bug 29291.
Installed those, and then found out I fell in the same trap as Len in bug 29144 mistakinng avi for av1.
The files pointed to in bug 29144 play OK, but I wanted to see something on the CLI:
$ aomanalyzer
opens a small window with tree menu items. File - Open only let me choose .ivf files.
Looked in google for a sample (making sure not to get into fertility ....) and found one at 
https://github.com/webmproject/vp9-dash/blob/master/DASH-Samples/Fountain_2997_3000kbps_1280x720_1x1PAR.ivf
That  file plays OK on vlc player, so it should be OK, but when I open it in aomanalyzer, I get: Unknown input codec.Unknown input codec.Failed to decode frame.Segmentation fault (dump made).

In view of the first tests as in bug 29144, it could be OK, but I don't kknow what to make of this "Segmentation fault"
Comment 22 Lewis Smith 2022-01-27 20:08:28 CET
64-bit with all wxgtk libs updated re bug 29848:
UPDATED:
 aom-2.0.1-3.5.mga8
 aom-extra-tools-2.0.1-3.5.mga8
 lib64aom2-2.0.1-3.5.mga8
$ /usr/bin/aomanalyzer
 pops a reactive window.
$ /usr/bin/aomdec --help
 shows correct help; it does nothing 'bare'. No GUI.
 Usage: /usr/bin/aomdec <options> filename
$ /usr/bin/aomenc --help
 shows correct help; it does nothing 'bare'. No GUI.
 Usage: /usr/bin/aomenc <options> -o dst_filename src_filename

Judging this OK for the mass wxgtk update. Except it is not included specifically in that, just cross-referred here. Does this need itw own advisory?

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodgins, lewyssmith

Comment 23 David Walser 2022-01-27 20:10:13 CET
Yes, aom is a security update and will be pushed through this bug with its own advisory.
Dave Hodgins 2022-01-27 20:26:34 CET

Keywords: (none) => advisory

Comment 24 Mageia Robot 2022-01-27 23:28:11 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0040.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.