Bug#871931: libvpx: CVE-2017-0641
On Sat, Aug 12, 2017 at 09:37:12PM +0200, Salvatore Bonaccorso wrote: > Hi > > On Sat, Aug 12, 2017 at 01:52:43PM -0400, Ondrej Novy wrote: > > Hi, > > > > we are already using: > > > > --size-limit=16384x16384 > > Yupp, I know that, I added that comment to the tracker. It's not clear > to me if we need to limit it quite further. The android approach is to > limit it to 4k frames. Mabe inded we shoult mark it as fixed for that > version where the size-limit was added (which should be 1.4.0-4. But > the size-limit to 16384x16384 was back in 2015 added to > mitigate/workaround CVE-2015-1258. So I suspect we will need to limit > it further. I think our build is perfectly fine in stretch. It's probably a bigger issue for libvpx as used by smart phones, but for a desktop build I don't think we shoudl modify the current defaults in stable (it might break existing setups even). I think we can mark this as unimportant and for buster follow upstream defaults. > cc'ing Moritz, who added libvpx to our DSA needed list on that > purpose. That was only for oldstable, sorry for the confusion. Cheers, Moritz ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#871931: libvpx: CVE-2017-0641
Hi On Sat, Aug 12, 2017 at 01:52:43PM -0400, Ondrej Novy wrote: > Hi, > > we are already using: > > --size-limit=16384x16384 Yupp, I know that, I added that comment to the tracker. It's not clear to me if we need to limit it quite further. The android approach is to limit it to 4k frames. Mabe inded we shoult mark it as fixed for that version where the size-limit was added (which should be 1.4.0-4. But the size-limit to 16384x16384 was back in 2015 added to mitigate/workaround CVE-2015-1258. So I suspect we will need to limit it further. *but* cc'ing Moritz, who added libvpx to our DSA needed list on that purpose. Regards, Salvatore ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#871931: libvpx: CVE-2017-0641
Hi, we are already using: --size-limit=16384x16384 configure option. So I __think__ we are not vulnerable. -- Best regards Ondřej Nový Email: n...@ondrej.org PGP: 3D98 3C52 EB85 980C 46A5 6090 3573 1255 9D1E 064B ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#871931: libvpx: CVE-2017-0641
Source: libvpx Version: 1.6.1-3 Severity: important Tags: security upstream Hi, the following vulnerability was published for libvpx. CVE-2017-0641[0]: | A remote denial of service vulnerability in libvpx in Mediaserver | could enable an attacker to use a specially crafted file to cause a | device hang or reboot. This issue is rated as High severity due to the | possibility of remote denial of service. Product: Android. Versions: | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: | A-34360591. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-0641 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0641 Please adjust the affected versions in the BTS as needed. Regards, Salvatore ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers