Bug 670840 (CVE-2010-4489) - CVE-2010-4489 libvpx: Signedness error in partition size check
Summary: CVE-2010-4489 libvpx: Signedness error in partition size check
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2010-4489
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-19 14:10 UTC by Jan Lieskovsky
Modified: 2021-02-24 16:45 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-22 06:27:51 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Lieskovsky 2011-01-19 14:10:06 UTC
An integer signedness error, leading to out-of-bounds buffer read
was found in the way libvpx, VP8 Video Codec SDK, decoded certain
VP8 video frames. A remote attacker could trick a local victim
into opening a specially-crafted WebM video file in an application,
using libvpx library, leading to denial of service (particular 
application crash).

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4489
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610510
[3] http://code.google.com/p/chromium/issues/detail?id=61653#c51

Upstream changeset (not definitely sure, needs confirmation):
[4] http://review.webmproject.org/#change,1098

Comment 1 Jan Lieskovsky 2011-01-19 14:12:26 UTC
This issue affects the version of the libvpx package, as shipped
with Red Hat Enterprise Linux 6.

--

This issue does NOT affect the versions of the libvpx package, as
shipped with Fedora release of 13 and 14 (version of libvpx package
in those releases is newer and already contains the fix).

Comment 2 Jan Lieskovsky 2011-01-19 14:46:26 UTC
Also, if I am reading the original Google Chrome report correctly:
[5] http://code.google.com/p/chromium/issues/detail?id=61653

there were two issues:
a, memory corruption flaw (CVE-2010-4203, comment #0, description of [5])
b, a fix for invalid read regression:
   http://code.google.com/p/chromium/issues/detail?id=61653#c51

   introduced by fix for CVE-2010-4203.

Projecting this into libvpx changeset:
a, should correspond to:
   https://review.webmproject.org/#change,928
then b, to:
   http://review.webmproject.org/#change,1098 (contains three patchsets)

Comment 4 Benjamin Otte 2011-01-28 08:07:07 UTC
It indeed looks like I applied the wrong patch...
So yes, we need patch iii) and not patch i) that I applied.

Comment 9 Vincent Danen 2015-08-22 06:27:40 UTC
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.