Gentoo Archives: gentoo-announce

From: Tim Sammut <underling@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 201101-03 ] libvpx: User-assisted execution of arbitrary code
Date: Sat, 15 Jan 2011 03:40:48
Message-Id: 4D3104C2.5040608@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201101-03
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: libvpx: User-assisted execution of arbitrary code
9 Date: January 15, 2011
10 Bugs: #345559
11 ID: 201101-03
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Timothy B. Terriberry discovered that libvpx contains an integer
19 overflow vulnerability in the processing of video streams that may
20 allow user-assisted execution of arbitrary code.
21
22 Background
23 ==========
24
25 libvpx is the VP8 codec SDK used to encode and decode video streams,
26 typically within a WebM format media file.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 media-libs/libvpx < 0.9.5 >= 0.9.5
35
36 Description
37 ===========
38
39 libvpx is vulnerable to an integer overflow vulnerability when
40 processing crafted VP8 video streams.
41
42 Impact
43 ======
44
45 A remote attacker could entice a user to open a specially crafted media
46 file, possibly resulting in the execution of arbitrary code with the
47 privileges of the user running the application, or a Denial of Service.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All libvpx users should upgrade to the latest stable version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=media-libs/libvpx-0.9.5"
61
62 Packages which depend on this library may need to be recompiled. Tools
63 such as revdep-rebuild may assist in identifying some of these
64 packages.
65
66 References
67 ==========
68
69 [ 1 ] CVE-2010-4203
70 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4203
71
72 Availability
73 ============
74
75 This GLSA and any updates to it are available for viewing at
76 the Gentoo Security Website:
77
78 http://security.gentoo.org/glsa/glsa-201101-03.xml
79
80 Concerns?
81 =========
82
83 Security is a primary focus of Gentoo Linux and ensuring the
84 confidentiality and security of our users machines is of utmost
85 importance to us. Any security concerns should be addressed to
86 security@g.o or alternatively, you may file a bug at
87 https://bugs.gentoo.org.
88
89 License
90 =======
91
92 Copyright 2011 Gentoo Foundation, Inc; referenced text
93 belongs to its owner(s).
94
95 The contents of this document are licensed under the
96 Creative Commons - Attribution / Share Alike license.
97
98 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature