MGASA-2024-0221 - Updated libvpx packages fix security vulnerabilities

Publication date: 14 Jun 2024
URL: https://advisories.mageia.org/MGASA-2024-0221.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2024-5197

There exists integer overflows in libvpx in versions prior to 1.14.1.
Calling vpx_img_alloc() with a large value of the d_w, d_h, or align
parameter may result in integer overflows in the calculations of buffer
sizes and offsets and some fields of the returned vpx_image_t struct may
be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h,
or stride_align parameter may result in integer overflows in the
calculations of buffer sizes and offsets and some fields of the returned
vpx_image_t struct may be invalid. (CVE-2024-5197)

References:
- https://bugs.mageia.org/show_bug.cgi?id=33281
- https://ubuntu.com/security/notices/USN-6814-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5197

SRPMS:
- 9/core/libvpx-1.12.0-1.3.mga9

Mageia 2024-0221: libvpx Security Advisory Updates

There exists integer overflows in libvpx in versions prior to 1.14.1

Summary

There exists integer overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. (CVE-2024-5197)

References

- https://bugs.mageia.org/show_bug.cgi?id=33281

- https://ubuntu.com/security/notices/USN-6814-1

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5197

Resolution

MGASA-2024-0221 - Updated libvpx packages fix security vulnerabilities

SRPMS

- 9/core/libvpx-1.12.0-1.3.mga9

Severity
Publication date: 14 Jun 2024
URL: https://advisories.mageia.org/MGASA-2024-0221.html
Type: security
CVE: CVE-2024-5197

Related News