Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2017-0641 CVE-2015-1258

Source

Debian Bug report logs - #871931
libvpx: CVE-2017-0641

Package: src:libvpx; Maintainer for src:libvpx is Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 12 Aug 2017 17:03:01 UTC

Severity: minor

Tags: security, upstream

Found in versions libvpx/1.3.0-3, libvpx/1.6.1-3

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#871931; Package src:libvpx. (Sat, 12 Aug 2017 17:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Sat, 12 Aug 2017 17:03:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: libvpx
Version: 1.6.1-3
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for libvpx.

CVE-2017-0641[0]:
| A remote denial of service vulnerability in libvpx in Mediaserver
| could enable an attacker to use a specially crafted file to cause a
| device hang or reboot. This issue is rated as High severity due to the
| possibility of remote denial of service. Product: Android. Versions:
| 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID:
| A-34360591.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-0641
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0641

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#871931; Package src:libvpx. (Sat, 12 Aug 2017 17:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Ondrej Novy <novy@ondrej.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Sat, 12 Aug 2017 17:57:03 GMT) (full text, mbox, link).

Message #10 received at 871931@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,

we are already using:

--size-limit=16384x16384

configure option. So I __think__ we are not vulnerable.

-- 
Best regards
 Ondřej Nový

Email: novy@ondrej.org
PGP: 3D98 3C52 EB85 980C 46A5  6090 3573 1255 9D1E 064B

[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#871931; Package src:libvpx. (Sat, 12 Aug 2017 19:39:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Sat, 12 Aug 2017 19:39:06 GMT) (full text, mbox, link).

Message #15 received at 871931@bugs.debian.org (full text, mbox, reply):

Hi

On Sat, Aug 12, 2017 at 01:52:43PM -0400, Ondrej Novy wrote:
> Hi,
> 
> we are already using:
> 
> --size-limit=16384x16384

Yupp, I know that, I added that comment to the tracker. It's not clear
to me if we need to limit it quite further. The android approach is to
limit it to 4k frames. Mabe inded we shoult mark it as fixed for that
version where the size-limit was added (which should be 1.4.0-4. But
the size-limit to 16384x16384  was back in 2015 added to
mitigate/workaround CVE-2015-1258. So I suspect we will need to limit
it further.

*but*

cc'ing Moritz, who added libvpx to our DSA needed list on that
purpose.

Regards,
Salvatore

Marked as found in versions libvpx/1.3.0-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 12 Aug 2017 19:57:06 GMT) (full text, mbox, link).

Severity set to 'minor' from 'important' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 12 Aug 2017 20:21:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#871931; Package src:libvpx. (Sat, 12 Aug 2017 20:42:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Sat, 12 Aug 2017 20:42:03 GMT) (full text, mbox, link).

Message #24 received at 871931@bugs.debian.org (full text, mbox, reply):

On Sat, Aug 12, 2017 at 09:37:12PM +0200, Salvatore Bonaccorso wrote:
> Hi
> 
> On Sat, Aug 12, 2017 at 01:52:43PM -0400, Ondrej Novy wrote:
> > Hi,
> > 
> > we are already using:
> > 
> > --size-limit=16384x16384
> 
> Yupp, I know that, I added that comment to the tracker. It's not clear
> to me if we need to limit it quite further. The android approach is to
> limit it to 4k frames. Mabe inded we shoult mark it as fixed for that
> version where the size-limit was added (which should be 1.4.0-4. But
> the size-limit to 16384x16384  was back in 2015 added to
> mitigate/workaround CVE-2015-1258. So I suspect we will need to limit
> it further.

I think our build is perfectly fine in stretch. It's probably a bigger
issue for libvpx as used by smart phones, but for a desktop build
I don't think we shoudl modify the current defaults in stable (it might
break existing setups even).

I think we can mark this as unimportant and for buster follow upstream
defaults.

> cc'ing Moritz, who added libvpx to our DSA needed list on that
> purpose.

That was only for oldstable, sorry for the confusion.

Cheers,
        Moritz

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:13:56 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

libvpx: CVE-2017-0641

Debian Bug report logs - #871931
libvpx: CVE-2017-0641

Vulmon Search

About

Products

Connect

libvpx: CVE-2017-0641

Debian Bug report logs - #871931 libvpx: CVE-2017-0641

Vulmon Search

About

Products

Connect

Debian Bug report logs - #871931
libvpx: CVE-2017-0641