Bug 670840 (CVE-2010-4489)
Summary: | CVE-2010-4489 libvpx: Signedness error in partition size check | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bressers, ddumas, otte, wnefal+redhatbugzilla |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-08-22 06:27:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Lieskovsky
2011-01-19 14:10:06 UTC
This issue affects the version of the libvpx package, as shipped with Red Hat Enterprise Linux 6. -- This issue does NOT affect the versions of the libvpx package, as shipped with Fedora release of 13 and 14 (version of libvpx package in those releases is newer and already contains the fix). Also, if I am reading the original Google Chrome report correctly: [5] http://code.google.com/p/chromium/issues/detail?id=61653 there were two issues: a, memory corruption flaw (CVE-2010-4203, comment #0, description of [5]) b, a fix for invalid read regression: http://code.google.com/p/chromium/issues/detail?id=61653#c51 introduced by fix for CVE-2010-4203. Projecting this into libvpx changeset: a, should correspond to: https://review.webmproject.org/#change,928 then b, to: http://review.webmproject.org/#change,1098 (contains three patchsets) It indeed looks like I applied the wrong patch... So yes, we need patch iii) and not patch i) that I applied. Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |