This denial of service vulnerability affects versions before 1.0.0. An update to this version is needed in Cauldron as well. To go along with this update, firefox, xulrunner, ffmpeg, and mplayer will need to be rebuilt.
Blocks: (none) => 4405
Mandriva issued an advisory for this today (February 27): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:023
Funda Wang has updated this for Cauldron, so now only Mageia 1 needs to be taken care of. The Mandriva update patched for this, so we could use the patch instead of updating the version, which will hopefully allow it to be updated without requiring anything to be rebuilt (MDV didn't have to rebuild anything).
CC: (none) => fundawang
Patched packages uploaded. I don't know if this will be pushed on its own or with the Firefox 10 update, but here's an advisory for this package. Advisory: ======================== Updated libvpx packages fix security vulnerability: VP8 Codec SDK (libvpx) before 1.0.0 Duclair allows remote attackers to cause a denial of service (application crash) via (1) unspecified corrupt input or (2) by starting decoding from a P-frame, which triggers an out-of-bounds read, related to the clamping of motion vectors in SPLITMV blocks (CVE-2012-0823). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0823 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:023 ======================== Updated packages in core/updates_testing: ======================== libvpx0-0.9.7-1.2.mga1 libvpx-devel-0.9.7-1.2.mga1 libvpx-utils-0.9.7-1.2.mga1 from libvpx-0.9.7-1.2.mga1.src.rpm
Assignee: bugsquad => qa-bugs
Testing x86_64 No PoC so checking webm video in Firefox plays Ok. Confirmed with strace that Firefox is using lib64vpx0 $ strace -o strace.out firefox $ grep vpx strace.out open("/usr/lib64/libvpx.so.0", O_RDONLY) = 4 Testing complete x86_64
Validating the update. Confirmed firefox http://devfiles.myopera.com/articles/1891/sunflower-webm.html shows the video. Could someone from the sysadmin team push the srpm libvpx-0.9.7-1.2.mga1.src.rpm from Core Updates Testing to Core Updates. Updated libvpx packages fix security vulnerability: VP8 Codec SDK (libvpx) before 1.0.0 Duclair allows remote attackers to cause a denial of service (application crash) via (1) unspecified corrupt input or (2) by starting decoding from a P-frame, which triggers an out-of-bounds read, related to the clamping of motion vectors in SPLITMV blocks (CVE-2012-0823). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0823 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:023 https://bugs.mageia.org/show_bug.cgi?id=4701
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
Update pushed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED