A recent Google Chrome update indicated there was a memory corruption flaw in libvpx .
Upstream changes to correct the flaw are here:
(the second is to fix some regressions introduced by the first patch, by the looks of things).
libvpx seems to only be used, currently, by gstreamer-plugins-bad-free.
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4203 to
the following vulnerability:
Reference: CONFIRM: http://code.google.com/p/chromium/issues/detail?id=60055
Reference: CONFIRM: http://googlechromereleases.blogspot.com/2010/11/stable-channel-update.html
WebM libvpx (aka the VP8 Codec SDK), as used in Google Chrome before
7.0.517.44, allows remote attackers to cause a denial of service
(memory corruption) or possibly have unspecified other impact via
The first patchset is applied in F14, the second is not. Given this reproducer doesn't work in F14, I suspect the flaw is fixed there. We should still try to get the second patchset applied though.
Created libvpx tracking bugs for this issue
Affects: fedora-all [bug 652443]
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2010:0999 https://rhn.redhat.com/errata/RHSA-2010-0999.html