Hello community, here is the log from the commit of package libvpx for openSUSE:Leap:15.2 checked in at 2020-05-19 14:08:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/libvpx (Old) and /work/SRC/openSUSE:Leap:15.2/.libvpx.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvpx" Tue May 19 14:08:13 2020 rev:23 rq:806862 version:1.6.1 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/libvpx/libvpx.changes 2020-02-04 17:53:59.424733727 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.libvpx.new.2738/libvpx.changes 2020-05-19 14:08:39.431019197 +0200 @@ -1,0 +2,6 @@ +Tue Mar 10 13:52:54 UTC 2020 - Adrian Schröter <[email protected]> + +- backport security fix: + CVE-2020-0034.patch: bsc#1166066: out-of-bounds read on truncated key frames + +------------------------------------------------------------------- New: ---- CVE-2020-0034.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvpx.spec ++++++ --- /var/tmp/diff_new_pack.x4IiXV/_old 2020-05-19 14:08:39.835019982 +0200 +++ /var/tmp/diff_new_pack.x4IiXV/_new 2020-05-19 14:08:39.839019990 +0200 @@ -33,6 +33,7 @@ Patch5: CVE-2019-9325.patch Patch6: CVE-2019-9232.patch Patch7: CVE-2019-9433.patch +Patch8: CVE-2020-0034.patch # libwebm: Patch100: CVE-2019-9371.patch Patch101: CVE-2019-2126.patch @@ -106,6 +107,7 @@ %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 # libwebm %patch100 -p0 %patch101 -p0 @@ -171,7 +173,8 @@ %files -n %{name}%{sover} %defattr(-, root, root) -%doc LICENSE AUTHORS README CHANGELOG +%license LICENSE +%doc AUTHORS README CHANGELOG %{_libdir}/libvpx.so.* %files devel ++++++ CVE-2020-0034.patch ++++++ commit 45daecb4f73a47ab3236a29a3a48c52324cbf19a Author: James Zern <[email protected]> Date: Wed Jun 7 20:46:13 2017 -0700 vp8_decode_frame: fix oob read on truncated key frame the check for error correction being disabled was overriding the data length checks. this avoids returning incorrect information (width / height) for the decoded frame which could result in inconsistent sizes returned in to an application causing it to read beyond the bounds of the frame allocation. BUG=webm:1443 BUG=b/62458770 Change-Id: I063459674e01b57c0990cb29372e0eb9a1fbf342 Index: libvpx-1.6.1/test/invalid_file_test.cc =================================================================== --- libvpx-1.6.1.orig/test/invalid_file_test.cc +++ libvpx-1.6.1/test/invalid_file_test.cc @@ -120,6 +120,15 @@ class InvalidFileTest : public ::libvpx_ TEST_P(InvalidFileTest, ReturnCode) { RunTest(); } +#if CONFIG_VP8_DECODER +const DecodeParam kVP8InvalidFileTests[] = { + { 1, "invalid-bug-1443.ivf" }, +}; + +VP8_INSTANTIATE_TEST_CASE(InvalidFileTest, + ::testing::ValuesIn(kVP8InvalidFileTests)); +#endif // CONFIG_VP8_DECODER + #if CONFIG_VP9_DECODER const DecodeParam kVP9InvalidFileTests[] = { { 1, "invalid-vp90-02-v2.webm" }, @@ -164,12 +173,12 @@ class InvalidFileInvalidPeekTest : publi TEST_P(InvalidFileInvalidPeekTest, ReturnCode) { RunTest(); } #if CONFIG_VP8_DECODER -const DecodeParam kVP8InvalidFileTests[] = { +const DecodeParam kVP8InvalidPeekTests[] = { { 1, "invalid-vp80-00-comprehensive-018.ivf.2kf_0x6.ivf" }, }; VP8_INSTANTIATE_TEST_CASE(InvalidFileInvalidPeekTest, - ::testing::ValuesIn(kVP8InvalidFileTests)); + ::testing::ValuesIn(kVP8InvalidPeekTests)); #endif // CONFIG_VP8_DECODER #if CONFIG_VP9_DECODER Index: libvpx-1.6.1/test/test-data.mk =================================================================== --- libvpx-1.6.1.orig/test/test-data.mk +++ libvpx-1.6.1/test/test-data.mk @@ -731,6 +731,8 @@ LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) + endif # CONFIG_VP9_HIGHBITDEPTH # Invalid files for testing libvpx error checking. +LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-bug-1443.ivf +LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-bug-1443.ivf.res LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-vp80-00-comprehensive-018.ivf.2kf_0x6.ivf LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-vp80-00-comprehensive-018.ivf.2kf_0x6.ivf.res LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-01-v3.webm Index: libvpx-1.6.1/test/test-data.sha1 =================================================================== --- libvpx-1.6.1.orig/test/test-data.sha1 +++ libvpx-1.6.1/test/test-data.sha1 @@ -848,3 +848,5 @@ a000d568431d07379dd5a8ec066061c07e560b47 6fa3d3ac306a3d9ce1d610b78441dc00d2c2d4b9 *tos_vp8.webm e402cbbf9e550ae017a1e9f1f73931c1d18474e8 *invalid-crbug-667044.webm d3964f9dad9f60363c81b688324d95b4ec7c8038 *invalid-crbug-667044.webm.res +fd9df7f3f6992af1d7a9dde975c9a0d6f28c053d *invalid-bug-1443.ivf +fd3020fa6e9ca5966206738654c97dec313b0a95 *invalid-bug-1443.ivf.res Index: libvpx-1.6.1/vp8/decoder/decodeframe.c =================================================================== --- libvpx-1.6.1.orig/vp8/decoder/decodeframe.c +++ libvpx-1.6.1/vp8/decoder/decodeframe.c @@ -930,7 +930,7 @@ int vp8_decode_frame(VP8D_COMP *pbi) { /* When error concealment is enabled we should only check the sync * code if we have enough bits available */ - if (!pbi->ec_active || data + 3 < data_end) { + if (data + 3 < data_end) { if (clear[0] != 0x9d || clear[1] != 0x01 || clear[2] != 0x2a) { vpx_internal_error(&pc->error, VPX_CODEC_UNSUP_BITSTREAM, "Invalid frame sync code"); @@ -941,13 +941,19 @@ int vp8_decode_frame(VP8D_COMP *pbi) { * if we have enough data. Otherwise we will end up with the wrong * size. */ - if (!pbi->ec_active || data + 6 < data_end) { + if (data + 6 < data_end) { pc->Width = (clear[3] | (clear[4] << 8)) & 0x3fff; pc->horiz_scale = clear[4] >> 6; pc->Height = (clear[5] | (clear[6] << 8)) & 0x3fff; pc->vert_scale = clear[6] >> 6; + data += 7; + } else if (!pbi->ec_active) { + vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME, + "Truncated key frame header"); + } else { + /* Error concealment is active, clear the frame. */ + data = data_end; } - data += 7; } else { memcpy(&xd->pre, yv12_fb_new, sizeof(YV12_BUFFER_CONFIG)); memcpy(&xd->dst, yv12_fb_new, sizeof(YV12_BUFFER_CONFIG));
