Debian Bug report logs -
#871931
libvpx: CVE-2017-0641
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#871931
; Package src:libvpx
.
(Sat, 12 Aug 2017 17:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Sat, 12 Aug 2017 17:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libvpx
Version: 1.6.1-3
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for libvpx.
CVE-2017-0641[0]:
| A remote denial of service vulnerability in libvpx in Mediaserver
| could enable an attacker to use a specially crafted file to cause a
| device hang or reboot. This issue is rated as High severity due to the
| possibility of remote denial of service. Product: Android. Versions:
| 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID:
| A-34360591.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-0641
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0641
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#871931
; Package src:libvpx
.
(Sat, 12 Aug 2017 17:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondrej Novy <novy@ondrej.org>
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Sat, 12 Aug 2017 17:57:03 GMT) (full text, mbox, link).
Message #10 received at 871931@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
we are already using:
--size-limit=16384x16384
configure option. So I __think__ we are not vulnerable.
--
Best regards
Ondřej Nový
Email: novy@ondrej.org
PGP: 3D98 3C52 EB85 980C 46A5 6090 3573 1255 9D1E 064B
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#871931
; Package src:libvpx
.
(Sat, 12 Aug 2017 19:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Sat, 12 Aug 2017 19:39:06 GMT) (full text, mbox, link).
Message #15 received at 871931@bugs.debian.org (full text, mbox, reply):
Hi
On Sat, Aug 12, 2017 at 01:52:43PM -0400, Ondrej Novy wrote:
> Hi,
>
> we are already using:
>
> --size-limit=16384x16384
Yupp, I know that, I added that comment to the tracker. It's not clear
to me if we need to limit it quite further. The android approach is to
limit it to 4k frames. Mabe inded we shoult mark it as fixed for that
version where the size-limit was added (which should be 1.4.0-4. But
the size-limit to 16384x16384 was back in 2015 added to
mitigate/workaround CVE-2015-1258. So I suspect we will need to limit
it further.
*but*
cc'ing Moritz, who added libvpx to our DSA needed list on that
purpose.
Regards,
Salvatore
Marked as found in versions libvpx/1.3.0-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 12 Aug 2017 19:57:06 GMT) (full text, mbox, link).
Severity set to 'minor' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 12 Aug 2017 20:21:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#871931
; Package src:libvpx
.
(Sat, 12 Aug 2017 20:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Sat, 12 Aug 2017 20:42:03 GMT) (full text, mbox, link).
Message #24 received at 871931@bugs.debian.org (full text, mbox, reply):
On Sat, Aug 12, 2017 at 09:37:12PM +0200, Salvatore Bonaccorso wrote:
> Hi
>
> On Sat, Aug 12, 2017 at 01:52:43PM -0400, Ondrej Novy wrote:
> > Hi,
> >
> > we are already using:
> >
> > --size-limit=16384x16384
>
> Yupp, I know that, I added that comment to the tracker. It's not clear
> to me if we need to limit it quite further. The android approach is to
> limit it to 4k frames. Mabe inded we shoult mark it as fixed for that
> version where the size-limit was added (which should be 1.4.0-4. But
> the size-limit to 16384x16384 was back in 2015 added to
> mitigate/workaround CVE-2015-1258. So I suspect we will need to limit
> it further.
I think our build is perfectly fine in stretch. It's probably a bigger
issue for libvpx as used by smart phones, but for a desktop build
I don't think we shoudl modify the current defaults in stable (it might
break existing setups even).
I think we can mark this as unimportant and for buster follow upstream
defaults.
> cc'ing Moritz, who added libvpx to our DSA needed list on that
> purpose.
That was only for oldstable, sorry for the confusion.
Cheers,
Moritz
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:13:56 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.