Assigning globally.

Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers: * Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. (CVE-2024-5171)

References:
https://ubuntu.com/security/notices/USN-6815-1
========================

Updated packages in core/updates_testing:
========================
aom-3.6.0-1.1.mga9
lib(64)aom3-3.6.0-1.1.mga9
lib(64)aom-devel-3.6.0-1.1.mga9

from SRPM:
aom-3.6.0-1.1.mga9.src.rpm

Status: NEW => ASSIGNED
Status comment: Patches available from Ubuntu and upstream => (none)
Source RPM: aom-3.8.2-2.mga10.src.rpm => aom-3.6.0-1.mga9.src.rpm
Version: Cauldron => 9
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO => (none)

RH mageia 9 x86_64

 LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "QA Testing (32-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing lib64aom3-3.6.0-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: lib64aom3             ##################################################################################################
      1/1: removing lib64aom3-3.6.0-1.mga9.x86_64
                                 ##################################################################################################

LC_ALL=C urpmi aom

installing aom-3.6.0-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: aom                   ##################################################################################################

References Bug#29808 comment#21 , we lost some tools since that time

strace vlc ountain_2997_3000kbps_1280x720_1x1PAR.ivf
Shows 
newfstatat(AT_FDCWD, "/usr/lib64/vlc/plugins/codec/libaom_plugin.so", {st_mode=S_IFREG|0755, st_size=15336, ...}, 0) = 0

strace gst-play-1.0  Fountain_2997_3000kbps_1280x720_1x1PAR.ivf
newfstatat(AT_FDCWD, "/lib64/gstreamer-1.0/libgstaom.so", {st_mode=S_IFREG|0755, st_size=53520, ...}, 0) = 0

aomdec --help
aomenc --help

Shows the help

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0220.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED