Bug 2291198 (CVE-2024-5197)

Summary: CVE-2024-5197 libvpx: Integer overflow in vpx_img_alloc()
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: erack, gotiwari, jhorak, mvyas, tpopela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libvpx 1.14.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libvpx. When creating images, libvpx trusts the width, height, and alignment of the user input. However, it does not properly validate the provided values. This flaw allows an attacker to craft user inputs or trick the user into opening crafted files, where these types of values are invalid, leading to integer overflows during memory allocation procedures. A successful full attack leads to the targeted application crashing, resulting in a denial of service or memory corruption, which results in data integrity issues.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2291200    
Bug Blocks: 2291199    

Description Marco Benatto 2024-06-10 20:11:12 UTC 
There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond

https://g-issues.chromium.org/issues/332382766
Comment 1 Marco Benatto 2024-06-10 20:28:49 UTC 
Created libvpx tracking bugs for this issue:

Affects: fedora-all [bug 2291200]
Comment 3 Marco Benatto 2024-06-10 20:44:06 UTC 
Upstream commit for this issue:
https://chromium.googlesource.com/webm/libvpx/+/74c70af01667733483dc69298b8921779f5f6ff3
Comment 4 errata-xmlrpc 2024-08-28 15:44:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5941 https://access.redhat.com/errata/RHSA-2024:5941
Comment 5 errata-xmlrpc 2024-11-18 09:11:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9827 https://access.redhat.com/errata/RHSA-2024:9827