A vulnerability was found in libvpx. A maliciously crafted media file allows remote attackers to execute arbitrary code or cause a denial of service. Upstream fix: https://android.googlesource.com/platform/external/libvpx/+/04839626ed859623901ebd3a5fd483982186b59d%5E!/#F1 References: http://lwn.net/Vulnerabilities/680036/
Created compat-libvpx1 tracking bugs for this issue: Affects: fedora-23 [bug 1318188]
Created libvpx tracking bugs for this issue: Affects: fedora-all [bug 1318187] Affects: epel-5 [bug 1318189]
There does not seem to be any technical details public about this issue. There is this Android security bulletin: http://source.android.com/security/bulletin/2016-03-01.html#remote_code_execution_vulnerabilities_in_libvpx linking the following commits: https://android.googlesource.com/platform/frameworks/av/+/5a6788730acfc6fd8f4a6ef89d2c376572a26b55 https://android.googlesource.com/platform/external/libvpx/+/04839626ed859623901ebd3a5fd483982186b59d https://android.googlesource.com/platform/external/libvpx/+/5a9753fca56f0eeb9f61e342b2fccffc364f9426 Apparently, the problem fixed is in the libwebm library embedded in libvpx. As libvpx versions in Red Hat Enterprise Linux 6 and 7 pre-date inclusion of libwebm in libvpx, they can not be affected by this issue. Similar applies to libvpx in EPEL-5 or compat-libvpx1 in Fedora.