libvpx: CVE-2023-5217

Debian Bug report logs - #1053182
libvpx: CVE-2023-5217

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libvpx: CVE-2023-5217

Date: Thu, 28 Sep 2023 22:43:40 +0200

Source: libvpx
Version: 1.12.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for libvpx.

CVE-2023-5217[0]:
| Heap buffer overflow in vp8 encoding in libvpx in Google Chrome
| prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker
| to potentially exploit heap corruption via a crafted HTML page.
| (Chromium security severity: High)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-5217
    https://www.cve.org/CVERecord?id=CVE-2023-5217
[1] https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590
[2] https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 1053182@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 1053182@bugs.debian.org

Subject: libvpx: diff for NMU version 1.12.0-1.1

Date: Thu, 28 Sep 2023 23:14:20 +0200

[Message part 1 (text/plain, inline)]

X-Debbugs-CC: Sebastian Ramacher <sramacher@debian.org>

Control: tags 1053182 + patch
Control: tags 1053182 + pending


Dear maintainer,

I've prepared an NMU for libvpx (versioned as 1.12.0-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[libvpx-1.12.0-1.1-nmu.diff (text/x-diff, attachment)]

Message #17 received at 1053182@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 1053182@bugs.debian.org

Subject: Re: Bug#1053182: libvpx: diff for NMU version 1.12.0-1.1

Date: Fri, 29 Sep 2023 16:00:17 +0200

On 2023-09-28 23:14:20 +0200, Salvatore Bonaccorso wrote:
> X-Debbugs-CC: Sebastian Ramacher <sramacher@debian.org>
> 
> Control: tags 1053182 + patch
> Control: tags 1053182 + pending
> 
> 
> Dear maintainer,
> 
> I've prepared an NMU for libvpx (versioned as 1.12.0-1.1) and
> uploaded it to DELAYED/2. Please feel free to tell me if I
> should delay it longer.

Thanks for working on the fix! Please feel free to reschedule it so that
it directly lands in unstable.

Cheers

> 
> Regards,
> Salvatore

> diff -Nru libvpx-1.12.0/debian/changelog libvpx-1.12.0/debian/changelog
> --- libvpx-1.12.0/debian/changelog	2022-07-09 15:20:25.000000000 +0200
> +++ libvpx-1.12.0/debian/changelog	2023-09-28 23:07:11.000000000 +0200
> @@ -1,3 +1,11 @@
> +libvpx (1.12.0-1.1) unstable; urgency=high
> +
> +  * Non-maintainer upload.
> +  * encode_api_test: add ConfigResizeChangeThreadCount
> +  * VP8: disallow thread count changes (CVE-2023-5217) (Closes: #1053182)
> +
> + -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 28 Sep 2023 23:07:11 +0200
> +
>  libvpx (1.12.0-1) unstable; urgency=medium
>  
>    * Team upload
> diff -Nru libvpx-1.12.0/debian/patches/0002-encode_api_test-add-ConfigResizeChangeThreadCount.patch libvpx-1.12.0/debian/patches/0002-encode_api_test-add-ConfigResizeChangeThreadCount.patch
> --- libvpx-1.12.0/debian/patches/0002-encode_api_test-add-ConfigResizeChangeThreadCount.patch	1970-01-01 01:00:00.000000000 +0100
> +++ libvpx-1.12.0/debian/patches/0002-encode_api_test-add-ConfigResizeChangeThreadCount.patch	2023-09-28 23:07:11.000000000 +0200
> @@ -0,0 +1,89 @@
> +From: James Zern <jzern@google.com>
> +Date: Mon, 25 Sep 2023 18:53:41 -0700
> +Subject: encode_api_test: add ConfigResizeChangeThreadCount
> +Origin: https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282
> +Bug-Debian: https://bugs.debian.org/1053182
> +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-5217
> +
> +Update thread counts and resolution to ensure allocations are updated
> +correctly. VP8 is disabled to avoid a crash.
> +
> +Bug: chromium:1486441
> +Change-Id: Ie89776d9818d27dc351eff298a44c699e850761b
> +---
> + test/encode_api_test.cc | 50 ++++++++++++++++++++++++++++++++++++++++-
> + 1 file changed, 49 insertions(+), 1 deletion(-)
> +
> +--- a/test/encode_api_test.cc
> ++++ b/test/encode_api_test.cc
> +@@ -304,7 +304,6 @@ TEST(EncodeAPI, SetRoi) {
> + 
> + void InitCodec(const vpx_codec_iface_t &iface, int width, int height,
> +                vpx_codec_ctx_t *enc, vpx_codec_enc_cfg_t *cfg) {
> +-  ASSERT_EQ(vpx_codec_enc_config_default(&iface, cfg, 0), VPX_CODEC_OK);
> +   cfg->g_w = width;
> +   cfg->g_h = height;
> +   cfg->g_lag_in_frames = 0;
> +@@ -342,6 +341,7 @@ TEST(EncodeAPI, ConfigChangeThreadCount)
> +         vpx_codec_ctx_t ctx = {};
> +       } enc;
> + 
> ++      ASSERT_EQ(vpx_codec_enc_config_default(iface, &cfg, 0), VPX_CODEC_OK);
> +       EXPECT_NO_FATAL_FAILURE(
> +           InitCodec(*iface, kWidth, kHeight, &enc.ctx, &cfg));
> +       if (IsVP9(iface)) {
> +@@ -353,6 +353,54 @@ TEST(EncodeAPI, ConfigChangeThreadCount)
> + 
> +       for (const auto threads : { 1, 4, 8, 6, 2, 1 }) {
> +         cfg.g_threads = threads;
> ++        EXPECT_NO_FATAL_FAILURE(EncodeWithConfig(cfg, &enc.ctx))
> ++            << "iteration: " << i << " threads: " << threads;
> ++      }
> ++    }
> ++  }
> ++}
> ++
> ++TEST(EncodeAPI, ConfigResizeChangeThreadCount) {
> ++  constexpr int kInitWidth = 1024;
> ++  constexpr int kInitHeight = 1024;
> ++
> ++  for (const auto *iface : kCodecIfaces) {
> ++    SCOPED_TRACE(vpx_codec_iface_name(iface));
> ++    if (!IsVP9(iface)) {
> ++      GTEST_SKIP() << "TODO(https://crbug.com/1486441) remove this condition "
> ++                      "after VP8 is fixed.";
> ++    }
> ++    for (int i = 0; i < (IsVP9(iface) ? 2 : 1); ++i) {
> ++      vpx_codec_enc_cfg_t cfg = {};
> ++      struct Encoder {
> ++        ~Encoder() { EXPECT_EQ(vpx_codec_destroy(&ctx), VPX_CODEC_OK); }
> ++        vpx_codec_ctx_t ctx = {};
> ++      } enc;
> ++
> ++      ASSERT_EQ(vpx_codec_enc_config_default(iface, &cfg, 0), VPX_CODEC_OK);
> ++      // Start in threaded mode to ensure resolution and thread related
> ++      // allocations are updated correctly across changes in resolution and
> ++      // thread counts. See https://crbug.com/1486441.
> ++      cfg.g_threads = 4;
> ++      EXPECT_NO_FATAL_FAILURE(
> ++          InitCodec(*iface, kInitWidth, kInitHeight, &enc.ctx, &cfg));
> ++      if (IsVP9(iface)) {
> ++        EXPECT_EQ(vpx_codec_control_(&enc.ctx, VP9E_SET_TILE_COLUMNS, 6),
> ++                  VPX_CODEC_OK);
> ++        EXPECT_EQ(vpx_codec_control_(&enc.ctx, VP9E_SET_ROW_MT, i),
> ++                  VPX_CODEC_OK);
> ++      }
> ++
> ++      cfg.g_w = 1000;
> ++      cfg.g_h = 608;
> ++      EXPECT_EQ(vpx_codec_enc_config_set(&enc.ctx, &cfg), VPX_CODEC_OK)
> ++          << vpx_codec_error_detail(&enc.ctx);
> ++
> ++      cfg.g_w = 16;
> ++      cfg.g_h = 720;
> ++
> ++      for (const auto threads : { 1, 4, 8, 6, 2, 1 }) {
> ++        cfg.g_threads = threads;
> +         EXPECT_NO_FATAL_FAILURE(EncodeWithConfig(cfg, &enc.ctx))
> +             << "iteration: " << i << " threads: " << threads;
> +       }
> diff -Nru libvpx-1.12.0/debian/patches/0003-VP8-disallow-thread-count-changes.patch libvpx-1.12.0/debian/patches/0003-VP8-disallow-thread-count-changes.patch
> --- libvpx-1.12.0/debian/patches/0003-VP8-disallow-thread-count-changes.patch	1970-01-01 01:00:00.000000000 +0100
> +++ libvpx-1.12.0/debian/patches/0003-VP8-disallow-thread-count-changes.patch	2023-09-28 23:07:11.000000000 +0200
> @@ -0,0 +1,51 @@
> +From: James Zern <jzern@google.com>
> +Date: Mon, 25 Sep 2023 18:55:59 -0700
> +Subject: VP8: disallow thread count changes
> +Origin: https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590
> +Bug-Debian: https://bugs.debian.org/1053182
> +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-5217
> +
> +Currently allocations are done at encoder creation time. Going from
> +threaded to non-threaded would cause a crash.
> +
> +Bug: chromium:1486441
> +Change-Id: Ie301c2a70847dff2f0daae408fbef1e4d42e73d4
> +---
> + test/encode_api_test.cc | 4 ----
> + vp8/encoder/onyx_if.c   | 5 +++++
> + 2 files changed, 5 insertions(+), 4 deletions(-)
> +
> +diff --git a/test/encode_api_test.cc b/test/encode_api_test.cc
> +index a8a4df2ddf88..f1c98b2c71c9 100644
> +--- a/test/encode_api_test.cc
> ++++ b/test/encode_api_test.cc
> +@@ -370,10 +370,6 @@ TEST(EncodeAPI, ConfigResizeChangeThreadCount) {
> + 
> +   for (const auto *iface : kCodecIfaces) {
> +     SCOPED_TRACE(vpx_codec_iface_name(iface));
> +-    if (!IsVP9(iface)) {
> +-      GTEST_SKIP() << "TODO(https://crbug.com/1486441) remove this condition "
> +-                      "after VP8 is fixed.";
> +-    }
> +     for (int i = 0; i < (IsVP9(iface) ? 2 : 1); ++i) {
> +       vpx_codec_enc_cfg_t cfg = {};
> +       struct Encoder {
> +diff --git a/vp8/encoder/onyx_if.c b/vp8/encoder/onyx_if.c
> +index c65afc643bf6..c5e9970c3cc8 100644
> +--- a/vp8/encoder/onyx_if.c
> ++++ b/vp8/encoder/onyx_if.c
> +@@ -1447,6 +1447,11 @@ void vp8_change_config(VP8_COMP *cpi, VP8_CONFIG *oxcf) {
> +   last_h = cpi->oxcf.Height;
> +   prev_number_of_layers = cpi->oxcf.number_of_layers;
> + 
> ++  if (cpi->initial_width) {
> ++    // TODO(https://crbug.com/1486441): Allow changing thread counts; the
> ++    // allocation is done once in vp8_create_compressor().
> ++    oxcf->multi_threaded = cpi->oxcf.multi_threaded;
> ++  }
> +   cpi->oxcf = *oxcf;
> + 
> +   switch (cpi->oxcf.Mode) {
> +-- 
> +2.40.1
> +
> diff -Nru libvpx-1.12.0/debian/patches/series libvpx-1.12.0/debian/patches/series
> --- libvpx-1.12.0/debian/patches/series	2021-09-01 23:10:14.000000000 +0200
> +++ libvpx-1.12.0/debian/patches/series	2023-09-28 23:07:11.000000000 +0200
> @@ -1 +1,3 @@
>  0001-Relax-ABI-check.patch
> +0002-encode_api_test-add-ConfigResizeChangeThreadCount.patch
> +0003-VP8-disallow-thread-count-changes.patch


-- 
Sebastian Ramacher

Message #22 received at 1053182-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1053182-close@bugs.debian.org

Subject: Bug#1053182: fixed in libvpx 1.12.0-1.1

Date: Fri, 29 Sep 2023 14:58:43 +0000

Source: libvpx
Source-Version: 1.12.0-1.1
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
libvpx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1053182@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libvpx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 Sep 2023 23:07:11 +0200
Source: libvpx
Architecture: source
Version: 1.12.0-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1053182
Changes:
 libvpx (1.12.0-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * encode_api_test: add ConfigResizeChangeThreadCount
   * VP8: disallow thread count changes (CVE-2023-5217) (Closes: #1053182)
Checksums-Sha1: 
 4e470f2563cb689eb5acf849b55125fa09d4eddf 2408 libvpx_1.12.0-1.1.dsc
 eccfda27dbb8a997d5a58564ad94c6ea5e1408b9 14072 libvpx_1.12.0-1.1.debian.tar.xz
Checksums-Sha256: 
 6b6a0a7efcef28b623f84f9e5b33dfbb292d20fa5c0afc2fe45ef3ac1ed1bf98 2408 libvpx_1.12.0-1.1.dsc
 296afb181810918c62fc2082106ac0a396dd9c9d804cb52a217c401ca1995812 14072 libvpx_1.12.0-1.1.debian.tar.xz
Files: 
 01899f23ad787563bca206af97744ed1 2408 video optional libvpx_1.12.0-1.1.dsc
 2b4d5b7577c42763dde6640d00872393 14072 video optional libvpx_1.12.0-1.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUWT5NfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E7F0P/RmSNKXBnbZzm9DoQeyoslXamO6GlNo6
DY6V4xXJYRsWErldhznDaY6Ejtn0mU/A6NutZfsxMQLMVVMh/a7FNUK6CTSEIjkR
VfAtuu85tG76E4OAo9pT+Fc34wtjCRzEocZeT/xaJrXUQVxRyemEDubszbE6fL3e
aEHX9K1il5+t0FdcNWcHGi4RTaFAd+uW+ATweisKpvRundOvOkLELbuVtMeNkwA3
9AwPgMwPPWzqDgL9EJagMWk62e8QwgeRSeZZLWEzIAUiO678NFDc8AoWQKPrvauf
80j4MAeZe7q/4hwJe2YG8aGRoYqPh+h4sO01gpQFUcPBPrv1pvVPBUX1Lrn8Byw7
6Pz0dGWibr2hSw9YiS8teL9aLl8AGOurARqJz+c4BBqa8pKGmdT9/RGPDE17F+ZO
l+lkD0B7L2Jb5UVKIXJh9/qioGdJMRNVlrqk7plPy8ptJaVWNXNT0ghtakctv1Ns
zESohVoSO8V99JbHjNsLEBGKqYZLnX4JXu5AcQYDCthtrvoxN/1pRcWXWQ48ksbC
hYjmbrjbbr6OLEkRVa/VYDfVVdy5GTCKeExo7xTwVhg9j92TkxTTUO+o2aF2uHcD
oiScnH49lwdvADQGaf9fhtPNqfuow2NcS97ozPq48qWnlhQUDEUm+gL8WyHE1hyH
k9JBOukudRa5
=5jvj
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.