SUSE has issued an advisory on March 22: https://lwn.net/Articles/966589/ The problem is fixed with: https://code.videolan.org/videolan/dav1d/commit/2b475307dc11be9a1c3cc4358102c76a7f386a51
Status comment: (none) => Fixed upstream in 1.4.0 and patch available from upsteamSource RPM: (none) => dav1d-1.2.1-1.mga9.src.rpmCVE: (none) => CVE-2024-1580
New version is best. I found no refrence to the CVE on the site, and nothing about 1.4.0; but a newer version 1.4.1: https://code.videolan.org/videolan/dav1d/-/commit/162fb6d85ce9e49af64ad55f1a16df1ac07067d1 I think this is the patch: https://code.videolan.org/videolan/dav1d/-/commit/2b475307dc11be9a1c3cc4358102c76a7f386a51 Assigning this to Stig, who normally maintains the SRPM.
Assignee: bugsquad => smelror
Suggested advisory: ======================== The updated packages fix a security vulnerability: An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. (CVE-2024-1580) References: https://lwn.net/Articles/966589/ ======================== Updated packages in core/updates_testing: ======================== dav1d-1.2.1-1.1.mga9 lib(64)dav1d6-1.2.1-1.1.mga9 lib(64)dav1d-devel-1.2.1-1.1.mga9 from SRPM: dav1d-1.2.1-1.1.mga9.src.rpm
Status comment: Fixed upstream in 1.4.0 and patch available from upsteam => (none)Status: NEW => ASSIGNEDAssignee: smelror => qa-bugs
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on HP-Pavillion No installation issues. $ dav1d -v 1.2.1 $ dav1d -i 12demandeel1.avi -o 12.mpg Failed to probe demuxer for file 12demandeel1.avi I guess there is nothing wrong with this avi file since the command $ ffmpeg -i 12demandeel1.avi 12.mpg produces a mpg file that plays OK with vlc. Missing something???
CC: (none) => herman.viaene
CC: (none) => andrewsfarm
I not see a good way other that have av1 video files to test this, give OK in base a clean install LC_ALL=C urpmi dav1d installing dav1d-1.2.1-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: dav1d LC_ALL=C urpmi lib64dav1d6 Marking lib64dav1d6 as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list installing lib64dav1d6-1.2.1-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: lib64dav1d6 ################################################################################################## 1/1: removing lib64dav1d6-1.2.1-1.mga9.x86_64 ##################################################################################################
Whiteboard: (none) => MGA9-64-OK
@Herman: You fell into the same trap I did when first confronting "av1" files. I read them as "avi" instead. Almost did the same thing with the recent gstreamer update. @katnatek: Handbrake will transcode videos into the av1 codec if set up for it. I just did a couple for the gstreamer update. The resulting file uses an mp4 container and file suffix, but the av1 codec. I'm not familiar with dav1d, but will have a look.
That took longer than expected. MGA9-64 Plasma, i5-7500, Nvidia Quadro K620 graphics. urpmq --whatrequires lib64dav1d6 produces a list that includes Chromium browser and vlc-plugins-common, among others. I chose vlc, and discovered it would not play the video for the av1 codec on this machine. Eventually, I found that vlc was trying to use GPU hardware acceleration to do the decoding, but my card doesn't support that codec. Removing the vlc vdpau plugin forced it to use the cpu, and then it played. $ strace -o dav1d.txt vlc Spinner.mp4 played the video, though there were a LOT of complaints about it in the terminal. (I think it REALLY wanted to use hardware acceleration) A check of the resulting file showed one time when it accessed "/usr/lib64/vlc/plugins/codec/libpng_plugin.so" so it appears to work OK.
Created attachment 14495 [details] Sample video using the av1 codec The video I used is too big to attach. I found this one online.
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
(In reply to Thomas Andrews from comment #6) > > $ strace -o dav1d.txt vlc Spinner.mp4 played the video, though there were a > LOT of complaints about it in the terminal. (I think it REALLY wanted to use > hardware acceleration) A check of the resulting file showed one time when it > accessed "/usr/lib64/vlc/plugins/codec/libpng_plugin.so" so it appears to > work OK. Copy error. That was supposed to be "/usr/lib64/vlc/plugins/codec/libdav1d_plugin.so" - and it wasn't even the right libdav1d. Sigh. Another test using dragon produced a call to "/lib64/libdav1d.so.6" which is the correct library for this update.
(In reply to Thomas Andrews from comment #7) > Created attachment 14495 [details] > Sample video using the av1 codec > > The video I used is too big to attach. I found this one online. https://github.com/SPBTV/video_av1_samples/blob/master/spbtv_sample_bipbop_av1_960x540_25fps.mp4 Same video I guess, I used vlc to play because urpmq --whatrequires lib64dav1d6 produce vlc-plugin-common as part of the output The video play well, BTW still not get how to test dav1d
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0111.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED