Bug 2291198 (CVE-2024-5197) - CVE-2024-5197 libvpx: Integer overflow in vpx_img_alloc()
Summary: CVE-2024-5197 libvpx: Integer overflow in vpx_img_alloc()
Keywords:
Status: NEW
Alias: CVE-2024-5197
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2291200
Blocks: 2291199
TreeView+ depends on / blocked
 
Reported: 2024-06-10 20:11 UTC by Marco Benatto
Modified: 2024-09-05 16:43 UTC (History)
5 users (show)

Fixed In Version: libvpx 1.14.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libvpx. When creating images, libvpx trusts the width, height, and alignment of the user input. However, it does not properly validate the provided values. This flaw allows an attacker to craft user inputs or trick the user into opening crafted files, where these types of values are invalid, leading to integer overflows during memory allocation procedures. A successful full attack leads to the targeted application crashing, resulting in a denial of service or memory corruption, which results in data integrity issues.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:6435 0 None None None 2024-09-05 16:43:07 UTC
Red Hat Product Errata RHSA-2024:5941 0 None None None 2024-08-28 15:44:50 UTC

Description Marco Benatto 2024-06-10 20:11:12 UTC
There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond

https://g-issues.chromium.org/issues/332382766

Comment 1 Marco Benatto 2024-06-10 20:28:49 UTC
Created libvpx tracking bugs for this issue:

Affects: fedora-all [bug 2291200]

Comment 3 Marco Benatto 2024-06-10 20:44:06 UTC
Upstream commit for this issue:
https://chromium.googlesource.com/webm/libvpx/+/74c70af01667733483dc69298b8921779f5f6ff3

Comment 4 errata-xmlrpc 2024-08-28 15:44:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5941 https://access.redhat.com/errata/RHSA-2024:5941


Note You need to log in before you can comment on or make changes to this bug.