CVE-2010-4489: Integer Overflow in VP8 decoding leads to memory corruption

Debian Bug report logs - #610510
CVE-2010-4489: Integer Overflow in VP8 decoding leads to memory corruption

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2010-4489: Integer Overflow in VP8 decoding leads to memory corruption

Date: Wed, 19 Jan 2011 11:11:41 +0100

Package: libvpx
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libvpx.

CVE-2010-4489[0]:
| Google Chrome before 8.0.552.215 does not properly handle WebM video,
| which allows remote attackers to cause a denial of service
| (out-of-bounds read) via unspecified vectors.  NOTE: this vulnerability
| exists because of a regression.


Please ask upstream for an isolated patch for squeeze.
- From the chromium side, they fixed this isssue with the following commits:
http://src.chromium.org/viewvc/chrome?view=rev&revision=65287
http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/libvpx/source/libvpx/vp8/vp8_dx_iface.c?r1=65147&r2=65287&pathrev=65287
http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/libvpx/source/libvpx/vp8/decoder/decodframe.c?r1=65147&r2=65287&pathrev=65287


If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4489
    http://security-tracker.debian.org/tracker/CVE-2010-4489

Cheers,
Giuseppe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk02uNoACgkQNxpp46476ao4YQCeIqJuuWg6L1VSQz1iebm49sUz
ddEAn33+fQlL4Ytg7XglpS7SlGd3Z50W
=WEhI
-----END PGP SIGNATURE-----

Message #10 received at 610510@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: "Giuseppe Iuculano" <iuculano@debian.org>, 610510@bugs.debian.org

Subject: Re: Bug#610510: CVE-2010-4489: Integer Overflow in VP8 decoding leads to memory corruption

Date: Wed, 19 Jan 2011 13:29:09 -0000

user release.debian.org@packages.debian.org
tag 610510 + squeeze-ignore
usertag 610510 + squeeze-can-defer
thanks

On Wed, January 19, 2011 10:11, Giuseppe Iuculano wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for libvpx.
>
> CVE-2010-4489[0]:
> | Google Chrome before 8.0.552.215 does not properly handle WebM video,
> | which allows remote attackers to cause a denial of service
> | (out-of-bounds read) via unspecified vectors.  NOTE: this vulnerability
> | exists because of a regression.

This can be fixed after release if required; marking as not a blocker for
squeeze.

Regards,

Adam

Message #17 received at 610510-close@bugs.debian.org (full text, mbox, reply):

From: Sebastian Dröge <slomo@debian.org>

To: 610510-close@bugs.debian.org

Subject: Bug#610510: fixed in libvpx 0.9.5-2

Date: Tue, 08 Feb 2011 11:17:45 +0000

Source: libvpx
Source-Version: 0.9.5-2

We believe that the bug you reported is fixed in the latest version of
libvpx, which is due to be installed in the Debian FTP archive:

libvpx-dev_0.9.5-2_amd64.deb
  to main/libv/libvpx/libvpx-dev_0.9.5-2_amd64.deb
libvpx-doc_0.9.5-2_all.deb
  to main/libv/libvpx/libvpx-doc_0.9.5-2_all.deb
libvpx0-dbg_0.9.5-2_amd64.deb
  to main/libv/libvpx/libvpx0-dbg_0.9.5-2_amd64.deb
libvpx0_0.9.5-2_amd64.deb
  to main/libv/libvpx/libvpx0_0.9.5-2_amd64.deb
libvpx_0.9.5-2.debian.tar.gz
  to main/libv/libvpx/libvpx_0.9.5-2.debian.tar.gz
libvpx_0.9.5-2.dsc
  to main/libv/libvpx/libvpx_0.9.5-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 610510@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Dröge <slomo@debian.org> (supplier of updated libvpx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 08 Feb 2011 11:59:42 +0100
Source: libvpx
Binary: libvpx-dev libvpx0 libvpx0-dbg libvpx-doc
Architecture: source all amd64
Version: 0.9.5-2
Distribution: unstable
Urgency: low
Maintainer: Sebastian Dröge <slomo@debian.org>
Changed-By: Sebastian Dröge <slomo@debian.org>
Description: 
 libvpx-dev - VP8 video codec (development files)
 libvpx-doc - VP8 video codec (API documentation)
 libvpx0    - VP8 video codec (shared library)
 libvpx0-dbg - VP8 video codec (debugging symbols)
Closes: 610510
Changes: 
 libvpx (0.9.5-2) unstable; urgency=low
 .
   * Upload to unstable.
   * debian/patches/02_cve-2010-4489.patch:
     + SECURITY -- CVE 2010-4489: Fix integer overflow in decoder
       Patch taken from upstream GIT (Closes: #610510).
Checksums-Sha1: 
 76aa7e7919c92588b2028c51533740652a84e480 1155 libvpx_0.9.5-2.dsc
 3331ab9a02ddca8e519083441643e9f42151354b 10391 libvpx_0.9.5-2.debian.tar.gz
 7cda2bc8817748ed8f9faa0f9760658ef4c2bd15 254112 libvpx-doc_0.9.5-2_all.deb
 a32628a8cb76a928ab34c2ab32b6819038c56280 331490 libvpx-dev_0.9.5-2_amd64.deb
 88fed259a664041f451770d6fa4566012b7657c8 257572 libvpx0_0.9.5-2_amd64.deb
 37895cd43cc8c7ed6c921d6ef344c6a8cd8e0dd1 535000 libvpx0-dbg_0.9.5-2_amd64.deb
Checksums-Sha256: 
 13424e4b915d74c0bd88e1c81623a081fb695e3adcc2542a88195d727c8a5c40 1155 libvpx_0.9.5-2.dsc
 cd5e2a0c5ac398631350a671847c56655ffbbc193c9fc5a56785ec27abdf5f84 10391 libvpx_0.9.5-2.debian.tar.gz
 5635a879bb550c3272e9b3a00b80a5b7f2e67b91c6410979fb4f389d4dc1128d 254112 libvpx-doc_0.9.5-2_all.deb
 4e79915b1470c90b74eb76555bfcfae4cc7832e6ab25137f8e6535b00350c764 331490 libvpx-dev_0.9.5-2_amd64.deb
 4cc500a6db9ac1433dbaed87e838b0b5059bb60d7df25ad22307fb5b591e1b99 257572 libvpx0_0.9.5-2_amd64.deb
 0f8164c290706f5c9ba78659c98b2cde3d93e3c5f55a4dc15cbfae5cf8c05b52 535000 libvpx0-dbg_0.9.5-2_amd64.deb
Files: 
 45c92d708c8048e0a5c811be001b147f 1155 video optional libvpx_0.9.5-2.dsc
 b8d3194fe04a16a34ec10d89bd90b36e 10391 video optional libvpx_0.9.5-2.debian.tar.gz
 365693d3ae036adc7cd0dd9389ff60a9 254112 doc optional libvpx-doc_0.9.5-2_all.deb
 ec15eb9c9e79b873a1c9692d48513af3 331490 libdevel optional libvpx-dev_0.9.5-2_amd64.deb
 926a79848a2902c4759cfae2797d5ed6 257572 libs optional libvpx0_0.9.5-2_amd64.deb
 cec9742688c4f70bdf5a1529a258c30f 535000 debug extra libvpx0-dbg_0.9.5-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEUEARECAAYFAk1RI6YACgkQBsBdh4vkHyENQgCY2vBKGvJ6lOMVX5af/zeHZHOM
LgCfQsXTpcgiXwU89/1LvkVih4YdkEg=
=em94
-----END PGP SIGNATURE-----

Message #22 received at 610510@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 610510@bugs.debian.org

Subject: (PRSC) Re: Bug#610510: CVE-2010-4489: Integer Overflow in VP8 decoding leads to memory corruption

Date: Sat, 19 Feb 2011 23:14:01 +0000

[Message part 1 (text/plain, inline)]

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.1)

Please arrange to backport your fix and liase with the release team for
permission to upload. I will happily assist you if the patch is
straightforward and you need help or lack time.

For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].

1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc

Thanks,

with his security hat on:
-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 610510@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 610510@bugs.debian.org

Subject: (PRSC) Re: Bug#610510: CVE-2010-4489: Integer Overflow in VP8 decoding leads to memory corruption

Date: Tue, 8 Mar 2011 23:17:06 +0000

[Message part 1 (text/plain, inline)]

On closer inspection (preparation to NMU), this bug does not appear to
affect squeeze, so please ignore my request and sorry for the noise.

Thanks,


-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.