News reports are claiming CVE-2023-5217 is being actively exploited in the wild. Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) The issue is allegedly fixed in libvpx 1.13.1. Chrome and Firefox are also vulnerable, but Chromium at least uses the system shared libvpx library.
CVE: (none) => CVE-2023-5217Whiteboard: (none) => MGA8TOO
It looks like 1.13.1 hasn't been released yet, but https://www.openwall.com/lists/oss-security/2023/09/28/5 points to https://chromium.googlesource.com/webm/libvpx/+/3fbd1dca6a4d2dad332a2110d646e4ffef36d590%5E%21/ as being the relevant patch, and that's what Arch at least has used. Cauldron and mga have 1.12.0 and mga8 has 1.9.0. The 1.13.0 release notes say "This release is ABI incompatible with the previous release." but they bumped the SONAME for some reason anyway. I've pushed libvpx-1.13.0-1.mga10 to Cauldron, but the SONAME bump means that all the dependent packages will need to be rebuilt.
Proposed security advisory text: ======================== Updated the libvpx package to fix a security vulnerability: Heap buffer overflow in vp8 encoding in libvpx allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5217 https://www.openwall.com/lists/oss-security/2023/09/28/5 The following fixed RPMS are now available: mga9 ---- source libvpx-1.12.0-1.1.mga9.src.rpm i586 libvpx7-1.12.0-1.1.mga9.i586.rpm libvpx-utils-1.12.0-1.1.mga9.i586.rpm libvpx-devel-1.12.0-1.1.mga9.i586.rpm x86_64 libvpx-utils-1.12.0-1.1.mga9.x86_64.rpm lib64vpx7-1.12.0-1.1.mga9.x86_64.rpm lib64vpx-devel-1.12.0-1.1.mga9.x86_64.rpm mga8 ---- source libvpx-1.9.0-1.1.mga8.src.rpm i586 libvpx6-1.9.0-1.1.mga8.i586.rpm libvpx-devel-1.9.0-1.1.mga8.i586.rpm libvpx-utils-1.9.0-1.1.mga8.i586.rpm x86_64 libvpx-utils-1.9.0-1.1.mga8.x86_64.rpm lib64vpx6-1.9.0-1.1.mga8.x86_64.rpm lib64vpx-devel-1.9.0-1.1.mga8.x86_64.rpm
Assignee: bugsquad => qa-bugsStatus: NEW => ASSIGNED
Here's a basic regression test procedure that uses libvpx to encode VP8 video from a webcam to sure the library still works for that. 1. Install gstreamer1.0-vp8 and gstreamer1.0-tools 2. From a command-line, run: gst-launch-1.0 v4l2src device=/dev/video0 ! videoconvert ! vp8enc ! webmmux ! filesink location=vp8test.webm 3. After a few seconds, press Ctrl-C to stop recording. 4. View the video file vp8test.webm using a web browser or video player to ensure it look like real video and was encoded correctly.
Whiteboard: MGA8TOO => MGA8TOO has_procedure
the packages do not seem to be on : http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/8/i586/media/core/updates_testing/ http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/9/i586/media/core/updates_testing/ nor the nonfree repo :( unless I'm looking in the wrong place.
CC: (none) => westel
It looks like packages built in the last 11 hours are not being synced. I'm not sure why.
thanks. not just me then.
MGA8-64 The following 7 packages are going to be installed: - glibc-2.36-50.mga9.x86_64 - glibc-devel-2.36-50.mga9.x86_64 - kernel-userspace-headers-6.5.3-1.mga9.x86_64 - lib64vpx-devel-1.12.0-1.1.mga9.x86_64 - lib64vpx7-1.12.0-1.1.mga9.x86_64 - lib64xcrypt-devel-4.4.33-3.mga9.x86_64 - libvpx-utils-1.12.0-1.1.mga9.x86_64 25MB of additional disk space will be used. --- plugged in webcam note to make the example work I had to run as root. # gst-launch-1.0 v4l2src device=/dev/video0 ! videoconvert ! vp8enc ! webmmux ! filesink location=vp8test.webm Setting pipeline to PAUSED ... Pipeline is live and does not need PREROLL ... Pipeline is PREROLLED ... Setting pipeline to PLAYING ... New clock: GstSystemClock Redistribute latency... Redistribute latency... ^Chandling interrupt. Interrupt: Stopping pipeline ... Execution ended after 0:00:18.234232439 Setting pipeline to NULL ... Freeing pipeline ... Was able to watch video with mplayer - it seems to work.
CC: (none) => brtians1Whiteboard: MGA8TOO has_procedure => MGA8TOO has_procedure MGA8-64-OK
Whiteboard: MGA8TOO has_procedure MGA8-64-OK => MGA8TOO has_procedure MGA9-64-OK
(In reply to Brian Rockwell from comment #7) > MGA8-64 > > The following 7 packages are going to be installed: > > - glibc-2.36-50.mga9.x86_64 > - glibc-devel-2.36-50.mga9.x86_64 > - kernel-userspace-headers-6.5.3-1.mga9.x86_64 > - lib64vpx-devel-1.12.0-1.1.mga9.x86_64 > - lib64vpx7-1.12.0-1.1.mga9.x86_64 > - lib64xcrypt-devel-4.4.33-3.mga9.x86_64 > - libvpx-utils-1.12.0-1.1.mga9.x86_64 > > 25MB of additional disk space will be used. > > > --- plugged in webcam > > note to make the example work I had to run as root. > > # gst-launch-1.0 v4l2src device=/dev/video0 ! videoconvert ! vp8enc ! > webmmux ! filesink location=vp8test.webm > Setting pipeline to PAUSED ... > Pipeline is live and does not need PREROLL ... > Pipeline is PREROLLED ... > Setting pipeline to PLAYING ... > New clock: GstSystemClock > Redistribute latency... > Redistribute latency... > ^Chandling interrupt. > Interrupt: Stopping pipeline ... > Execution ended after 0:00:18.234232439 > Setting pipeline to NULL ... > Freeing pipeline ... > > > Was able to watch video with mplayer - it seems to work. Actually MGA9 - will test MGA8 shortly
MGA8-64 The following 3 packages are going to be installed: - lib64vpx-devel-1.9.0-1.1.mga8.x86_64 - lib64vpx6-1.9.0-1.1.mga8.x86_64 - libvpx-utils-1.9.0-1.1.mga8.x86_64 5MB of additional disk space will be used. # gst-launch-1.0 v4l2src device=/dev/video0 ! videoconvert ! vp8enc ! webmmux ! filesink location=vp8test.webm Setting pipeline to PAUSED ... Pipeline is live and does not need PREROLL ... Pipeline is PREROLLED ... Setting pipeline to PLAYING ... New clock: GstSystemClock Redistribute latency... ^Chandling interrupt. Interrupt: Stopping pipeline ... Execution ended after 0:00:10.274946616 Setting pipeline to NULL ... Freeing pipeline ... video plays, but I must say the subject (video of me) is pretty sketchy.
Whiteboard: MGA8TOO has_procedure MGA9-64-OK => MGA8TOO has_procedure MGA9-64-OK MGA8-64-OK
The advisory has been uploaded
Keywords: (none) => advisoryCC: (none) => marja11
thanks Marja. I know this is a lot of work, but wonderful to see your name out there again.
(In reply to Brian Rockwell from comment #11) > thanks Marja. > > I know this is a lot of work, but wonderful to see your name out there again. 100% agree. Marja, you have been a life saver. Validating. Let's get this thing out there.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0280.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED