CVE-2023-44488 was announced on September 30: https://www.openwall.com/lists/oss-security/2023/09/30/4
Source RPM: (none) => libvpx-1.12.0-1.1.mga9.src.rpm
Assignee: bugsquad => nicolas.salguero
CVE: (none) => CVE-2023-44488CC: (none) => yvesbrungard
Suggested advisory: ======================== The updated packages fix a security vulnerability: VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding. (CVE-2023-44488) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44488 https://www.openwall.com/lists/oss-security/2023/09/30/4 ======================== Updated packages in core/updates_testing: ======================== lib(64)vpx7-1.12.0-1.2.mga9 lib(64)vpx-devel-1.12.0-1.2.mga9 libvpx-utils-1.12.0-1.2.mga9 from SRPM: libvpx-1.12.0-1.2.mga9.src.rpm
Assignee: nicolas.salguero => qa-bugsStatus: NEW => ASSIGNED
Advisory from comment 1 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisoryCC: (none) => marja11
Testing on Real hardware Mageia 9 x86_64 lxqt Not found POC to test, the update from previous version works without issue
MGA9-64 Plasma, i5-2500, Intel graphics. No installation issues with the update. Curiously, in the process I saw that there was still a version of lib64vpx6 from mga8 installed. This install had been upgraded from mga8 to mga9 many months ago when it was still in Cauldron, and for some reason that package had never been removed. I removed it, and another mga8 package that depended on it, apparently without incident. Looking at what uses lib64vpx7 presents a host of packages, including Handbrake and vlc. Looking at the Handbrake documentation online indicated that it does use libvpx to encode into the VP9 codec. Using Handbrake on a mkv video I happened to have, I converted it to use a webm container, using VP9 as the codec. Then, I played the result in vlc, which identified the codec that had been used was indeed VP9. There were no problems playing the video. This looks good to go. Validating.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0338.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED