Ubuntu has issued an advisory on June 6: https://ubuntu.com/security/notices/USN-6814-1 The following patches fix the problem: https://github.com/webmproject/libvpx/commit/c5640e3300690705c336966e2a8bb346a388c829 https://github.com/webmproject/libvpx/commit/9d7054c0cb83665a74cf6f59b6261f455e692149 https://github.com/webmproject/libvpx/commit/61c4d556bd03b97d84e3fa49180d14bde5a62baa Mageia 9 is also affected.
Whiteboard: (none) => MGA9TOOSource RPM: (none) => libvpx-1.13.1-1.mga10.src.rpmCVE: (none) => CVE-2024-5197Status comment: (none) => Patches available from Ubuntu and upstream
Assigning globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. (CVE-2024-5197) References: https://ubuntu.com/security/notices/USN-6814-1 ======================== Updated packages in core/updates_testing: ======================== lib(64)vpx7-1.12.0-1.3.mga9 lib(64)vpx-devel-1.12.0-1.3.mga9 libvpx-utils-1.12.0-1.3.mga9 from SRPM: libvpx-1.12.0-1.3.mga9.src.rpm
Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDStatus comment: Patches available from Ubuntu and upstream => (none)Whiteboard: MGA9TOO => (none)Version: Cauldron => 9Source RPM: libvpx-1.13.1-1.mga10.src.rpm => libvpx-1.12.0-1.2.mga9.src.rpm
Keywords: (none) => advisory
RH mageia 9 x86_64 LC_ALL=C urpmi --auto --auto-update medium "QA Testing (64-bit)" is up-to-date medium "QA Testing (32-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing lib64vpx7-1.12.0-1.3.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: lib64vpx7 ################################################################################################## 1/1: removing lib64vpx7-1.12.0-1.2.mga9.x86_64 ################################################################################################## LC_ALL=C urpmi libvpx-utils installing libvpx-utils-1.12.0-1.3.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: libvpx-utils ################################################################################################## References bug#32586 comment#4 and bug#25789 comment#5 Convert video to mkv with vo9 as video codec Play result with vlc strace mpv video.mkv show the library is opened openat(AT_FDCWD, "/lib64/libvpx.so.7", O_RDONLY|O_CLOEXEC) = 3 The video play withot issues strace mplayer video.mkv show the library is openend openat(AT_FDCWD, "/lib64/libvpx.so.7", O_RDONLY|O_CLOEXEC) = 3 The video play without issues
CC: (none) => andrewsfarmWhiteboard: (none) => MGA9-64-OK
(In reply to katnatek from comment #3) > Convert video to mkv with vo9 as video codec vo9 -> vp9
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0221.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED