Bug 32586 - libvpx new security issue CVE-2023-44488
Summary: libvpx new security issue CVE-2023-44488
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-11-30 15:24 CET by Nicolas Salguero
Modified: 2023-12-04 10:31 CET (History)
4 users (show)

See Also:
Source RPM: libvpx-1.12.0-1.1.mga9.src.rpm
CVE: CVE-2023-44488
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-11-30 15:24:21 CET 
CVE-2023-44488 was announced on September 30:
https://www.openwall.com/lists/oss-security/2023/09/30/4
Nicolas Salguero 2023-11-30 15:25:16 CET

Source RPM: (none) => libvpx-1.12.0-1.1.mga9.src.rpm

Nicolas Salguero 2023-11-30 16:32:46 CET

Assignee: bugsquad => nicolas.salguero

papoteur 2023-12-01 09:44:31 CET

CVE: (none) => CVE-2023-44488
CC: (none) => yvesbrungard

Comment 1 Nicolas Salguero 2023-12-01 11:43:38 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding. (CVE-2023-44488)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44488
https://www.openwall.com/lists/oss-security/2023/09/30/4
========================

Updated packages in core/updates_testing:
========================
lib(64)vpx7-1.12.0-1.2.mga9
lib(64)vpx-devel-1.12.0-1.2.mga9
libvpx-utils-1.12.0-1.2.mga9

from SRPM:
libvpx-1.12.0-1.2.mga9.src.rpm

Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED

Comment 2 Marja Van Waes 2023-12-01 20:23:59 CET 
Advisory from comment 1 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory
CC: (none) => marja11

Comment 3 katnatek 2023-12-01 23:41:08 CET 
Testing on Real hardware Mageia 9 x86_64 lxqt
Not found POC to test, the update from previous version works without issue
Comment 4 Thomas Andrews 2023-12-01 23:47:33 CET 
MGA9-64 Plasma, i5-2500, Intel graphics. No installation issues with the update. 

Curiously, in the process I saw that there was still a version of lib64vpx6 from mga8 installed. This install had been upgraded from mga8 to mga9 many months ago when it was still in Cauldron, and for some reason that package had never been removed. I removed it, and another mga8 package that depended on it, apparently without incident.

Looking at what uses lib64vpx7 presents a host of packages, including Handbrake and vlc. Looking at the Handbrake documentation online indicated that it does use libvpx to encode into the VP9 codec.

Using Handbrake on a mkv video I happened to have, I converted it to use a webm container, using VP9 as the codec. Then, I played the result in vlc, which identified the codec that had been used was indeed VP9. There were no problems playing the video.

This looks good to go. Validating.
Thomas Andrews 2023-12-02 04:45:54 CET

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2023-12-04 10:31:03 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0338.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.