Bug 32342 - 0-day in libvpx
Summary: 0-day in libvpx
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO has_procedure MGA9-64-OK MGA8...
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-09-29 01:13 CEST by Dan Fandrich
Modified: 2023-10-02 12:20 CEST (History)
5 users (show)

See Also:
Source RPM: libvpx-1.12.0-1.mga9.src.rpm
CVE: CVE-2023-5217
Status comment:


Attachments

Description Dan Fandrich 2023-09-29 01:13:34 CEST
News reports are claiming CVE-2023-5217 is being actively exploited in the wild.

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) 

The issue is allegedly fixed in libvpx 1.13.1.

Chrome and Firefox are also vulnerable, but Chromium at least uses the system shared libvpx library.
Dan Fandrich 2023-09-29 01:16:20 CEST

CVE: (none) => CVE-2023-5217
Whiteboard: (none) => MGA8TOO

Comment 1 Dan Fandrich 2023-09-29 02:03:05 CEST
It looks like 1.13.1 hasn't been released yet, but https://www.openwall.com/lists/oss-security/2023/09/28/5 points to https://chromium.googlesource.com/webm/libvpx/+/3fbd1dca6a4d2dad332a2110d646e4ffef36d590%5E%21/ as being the relevant patch, and that's what Arch at least has used.

Cauldron and mga have 1.12.0 and mga8 has 1.9.0. The 1.13.0 release notes say "This release is ABI incompatible with the previous release." but they bumped the SONAME for some reason anyway.

I've pushed libvpx-1.13.0-1.mga10 to Cauldron, but the SONAME bump means that all the dependent packages will need to be rebuilt.
Comment 2 Dan Fandrich 2023-09-29 02:35:12 CEST
Proposed security advisory text:

========================
Updated the libvpx package to fix a security vulnerability:

Heap buffer overflow in vp8 encoding in libvpx allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5217
https://www.openwall.com/lists/oss-security/2023/09/28/5


The following fixed RPMS are now available:

mga9
----
source
libvpx-1.12.0-1.1.mga9.src.rpm

i586
libvpx7-1.12.0-1.1.mga9.i586.rpm
libvpx-utils-1.12.0-1.1.mga9.i586.rpm
libvpx-devel-1.12.0-1.1.mga9.i586.rpm

x86_64
libvpx-utils-1.12.0-1.1.mga9.x86_64.rpm
lib64vpx7-1.12.0-1.1.mga9.x86_64.rpm
lib64vpx-devel-1.12.0-1.1.mga9.x86_64.rpm


mga8
----
source
libvpx-1.9.0-1.1.mga8.src.rpm

i586
libvpx6-1.9.0-1.1.mga8.i586.rpm
libvpx-devel-1.9.0-1.1.mga8.i586.rpm
libvpx-utils-1.9.0-1.1.mga8.i586.rpm

x86_64
libvpx-utils-1.9.0-1.1.mga8.x86_64.rpm
lib64vpx6-1.9.0-1.1.mga8.x86_64.rpm
lib64vpx-devel-1.9.0-1.1.mga8.x86_64.rpm

Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

Comment 3 Dan Fandrich 2023-09-29 03:24:31 CEST
Here's a basic regression test procedure that uses libvpx to encode VP8 video from a webcam to sure the library still works for that.

1. Install gstreamer1.0-vp8 and gstreamer1.0-tools
2. From a command-line, run:
  gst-launch-1.0 v4l2src device=/dev/video0 ! videoconvert ! vp8enc ! webmmux ! filesink location=vp8test.webm
3. After a few seconds, press Ctrl-C to stop recording.
4. View the video file vp8test.webm using a web browser or video player to ensure it look like real video and was encoded correctly.

Whiteboard: MGA8TOO => MGA8TOO has_procedure

Comment 4 Ben McMonagle 2023-09-29 07:34:45 CEST
the packages do not seem to be on :
http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/8/i586/media/core/updates_testing/

http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/9/i586/media/core/updates_testing/

nor the nonfree repo :(

unless I'm looking in the wrong place.

CC: (none) => westel

Comment 5 Dan Fandrich 2023-09-29 08:26:53 CEST
It looks like packages built in the last 11 hours are not being synced. I'm not sure why.
Comment 6 Ben McMonagle 2023-09-29 08:35:16 CEST
thanks.

not just me then.
Comment 7 Brian Rockwell 2023-09-29 15:58:09 CEST
MGA8-64

The following 7 packages are going to be installed:

- glibc-2.36-50.mga9.x86_64
- glibc-devel-2.36-50.mga9.x86_64
- kernel-userspace-headers-6.5.3-1.mga9.x86_64
- lib64vpx-devel-1.12.0-1.1.mga9.x86_64
- lib64vpx7-1.12.0-1.1.mga9.x86_64
- lib64xcrypt-devel-4.4.33-3.mga9.x86_64
- libvpx-utils-1.12.0-1.1.mga9.x86_64

25MB of additional disk space will be used.


--- plugged in webcam

note to make the example work I had to run as root.

# gst-launch-1.0 v4l2src device=/dev/video0 ! videoconvert ! vp8enc ! webmmux ! filesink location=vp8test.webm
Setting pipeline to PAUSED ...
Pipeline is live and does not need PREROLL ...
Pipeline is PREROLLED ...
Setting pipeline to PLAYING ...
New clock: GstSystemClock
Redistribute latency...
Redistribute latency...
^Chandling interrupt.
Interrupt: Stopping pipeline ...
Execution ended after 0:00:18.234232439
Setting pipeline to NULL ...
Freeing pipeline ...


Was able to watch video with mplayer - it seems to work.

CC: (none) => brtians1
Whiteboard: MGA8TOO has_procedure => MGA8TOO has_procedure MGA8-64-OK

Brian Rockwell 2023-09-29 16:04:38 CEST

Whiteboard: MGA8TOO has_procedure MGA8-64-OK => MGA8TOO has_procedure MGA9-64-OK

Comment 8 Brian Rockwell 2023-09-29 16:05:18 CEST
(In reply to Brian Rockwell from comment #7)
> MGA8-64
> 
> The following 7 packages are going to be installed:
> 
> - glibc-2.36-50.mga9.x86_64
> - glibc-devel-2.36-50.mga9.x86_64
> - kernel-userspace-headers-6.5.3-1.mga9.x86_64
> - lib64vpx-devel-1.12.0-1.1.mga9.x86_64
> - lib64vpx7-1.12.0-1.1.mga9.x86_64
> - lib64xcrypt-devel-4.4.33-3.mga9.x86_64
> - libvpx-utils-1.12.0-1.1.mga9.x86_64
> 
> 25MB of additional disk space will be used.
> 
> 
> --- plugged in webcam
> 
> note to make the example work I had to run as root.
> 
> # gst-launch-1.0 v4l2src device=/dev/video0 ! videoconvert ! vp8enc !
> webmmux ! filesink location=vp8test.webm
> Setting pipeline to PAUSED ...
> Pipeline is live and does not need PREROLL ...
> Pipeline is PREROLLED ...
> Setting pipeline to PLAYING ...
> New clock: GstSystemClock
> Redistribute latency...
> Redistribute latency...
> ^Chandling interrupt.
> Interrupt: Stopping pipeline ...
> Execution ended after 0:00:18.234232439
> Setting pipeline to NULL ...
> Freeing pipeline ...
> 
> 
> Was able to watch video with mplayer - it seems to work.

Actually MGA9 - will test MGA8 shortly
Comment 9 Brian Rockwell 2023-09-29 16:16:51 CEST
MGA8-64

The following 3 packages are going to be installed:

- lib64vpx-devel-1.9.0-1.1.mga8.x86_64
- lib64vpx6-1.9.0-1.1.mga8.x86_64
- libvpx-utils-1.9.0-1.1.mga8.x86_64

5MB of additional disk space will be used.


# gst-launch-1.0 v4l2src device=/dev/video0 ! videoconvert ! vp8enc !  webmmux ! filesink location=vp8test.webm 
Setting pipeline to PAUSED ...
Pipeline is live and does not need PREROLL ...
Pipeline is PREROLLED ...
Setting pipeline to PLAYING ...
New clock: GstSystemClock
Redistribute latency...
^Chandling interrupt.
Interrupt: Stopping pipeline ...
Execution ended after 0:00:10.274946616
Setting pipeline to NULL ...
Freeing pipeline ...


video plays, but I must say the subject (video of me) is pretty sketchy.

Whiteboard: MGA8TOO has_procedure MGA9-64-OK => MGA8TOO has_procedure MGA9-64-OK MGA8-64-OK

Comment 10 Marja Van Waes 2023-09-29 22:49:00 CEST
The advisory has been uploaded

Keywords: (none) => advisory
CC: (none) => marja11

Comment 11 Brian Rockwell 2023-09-29 23:21:54 CEST
thanks Marja.

I know this is a lot of work, but wonderful to see your name out there again.
Comment 12 Thomas Andrews 2023-10-01 03:58:42 CEST
(In reply to Brian Rockwell from comment #11)
> thanks Marja.
> 
> I know this is a lot of work, but wonderful to see your name out there again.

100% agree. Marja, you have been a life saver.

Validating. Let's get this thing out there.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 13 Mageia Robot 2023-10-02 12:20:00 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0280.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.