33281 – libvpx new security issue CVE-2024-5197

Bug 33281 - libvpx new security issue CVE-2024-5197

Summary: libvpx new security issue CVE-2024-5197

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-06-10 10:20 CEST by Nicolas Salguero
Modified:	2024-06-14 19:31 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	libvpx-1.12.0-1.2.mga9.src.rpm
CVE:	CVE-2024-5197
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-06-10 10:20:11 CEST

Ubuntu has issued an advisory on June 6:
https://ubuntu.com/security/notices/USN-6814-1

The following patches fix the problem:
https://github.com/webmproject/libvpx/commit/c5640e3300690705c336966e2a8bb346a388c829
https://github.com/webmproject/libvpx/commit/9d7054c0cb83665a74cf6f59b6261f455e692149
https://github.com/webmproject/libvpx/commit/61c4d556bd03b97d84e3fa49180d14bde5a62baa

Mageia 9 is also affected.

Nicolas Salguero 2024-06-10 10:20:52 CEST

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => libvpx-1.13.1-1.mga10.src.rpm
CVE: (none) => CVE-2024-5197
Status comment: (none) => Patches available from Ubuntu and upstream

Comment 1 Lewis Smith 2024-06-10 20:26:44 CEST

Assigning globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-06-13 13:50:14 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. (CVE-2024-5197)

References:
https://ubuntu.com/security/notices/USN-6814-1
========================

Updated packages in core/updates_testing:
========================
lib(64)vpx7-1.12.0-1.3.mga9
lib(64)vpx-devel-1.12.0-1.3.mga9
libvpx-utils-1.12.0-1.3.mga9

from SRPM:
libvpx-1.12.0-1.3.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Status comment: Patches available from Ubuntu and upstream => (none)
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Source RPM: libvpx-1.13.1-1.mga10.src.rpm => libvpx-1.12.0-1.2.mga9.src.rpm

katnatek 2024-06-13 19:46:54 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2024-06-14 04:01:13 CEST

RH mageia 9 x86_64

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "QA Testing (32-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing lib64vpx7-1.12.0-1.3.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: lib64vpx7             ##################################################################################################
      1/1: removing lib64vpx7-1.12.0-1.2.mga9.x86_64
                                 ##################################################################################################

LC_ALL=C urpmi libvpx-utils

installing libvpx-utils-1.12.0-1.3.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: libvpx-utils          ##################################################################################################

References bug#32586 comment#4 and bug#25789 comment#5

Convert video to mkv with vo9 as video codec
Play result with vlc

strace mpv video.mkv show the library is opened
openat(AT_FDCWD, "/lib64/libvpx.so.7", O_RDONLY|O_CLOEXEC) = 3
The video play withot issues

strace mplayer video.mkv show the library is openend
openat(AT_FDCWD, "/lib64/libvpx.so.7", O_RDONLY|O_CLOEXEC) = 3
The video play without issues

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 4 katnatek 2024-06-14 04:02:59 CEST

(In reply to katnatek from comment #3)
> Convert video to mkv with vo9 as video codec
vo9 -> vp9

Comment 5 Thomas Andrews 2024-06-14 14:47:59 CEST

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 6 Mageia Robot 2024-06-14 19:31:18 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0221.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.