|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-6879: libaom: heap-buffer-overflow on frame size change | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Incidents | Assignee: | package coldpool <coldpool> |
| Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | andrea.mattiazzo, pgajdos, security-team, valentin.lefebvre |
| Version: | unspecified | Flags: | pgajdos:
needinfo?
(security-team) |
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/389439/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2023-6879:4.8:(AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
AddressSanitizer testcase frame resize
unsuccessful patch patch which adds the testcase (might be also wrong) |
||
|
Description
SMASH SMASH
2023-12-28 09:53:21 UTC
ALP submission: https://build.suse.de/request/show/316799 Created attachment 871719 [details]
AddressSanitizer testcase frame resize
I have tried with the AddressSanitizer library loaded but the results are the same of yours for the old test case, I run it also for the other and in some case the stack calls seems different.
$ cmake path/to/aom -DSANITIZE=address
$ make
I had not chance to get to it so far. I have coldpool duty next week, perhaps I will discover something. 3.7.0 reproduces the segfault 3.7.1 fixes the segfault completely (even that one mentioned in comment 4) Backport of these following two commits to 3.2.0 does not suffice https://aomedia.googlesource.com/aom/+/7ae7bef246e85c8f349513d668b4571c79a43c5c%5E! https://aomedia.googlesource.com/aom/+/fcfdc09d81b122cd5e70f66dc55833065127bf47%5E! for me. > Backport of these following two commits to 3.2.0 does not suffice [..] > for me. I. e. it crashes with different backtrace (comment 4 and comment 5). Created attachment 872106 [details]
unsuccessful patch
Created attachment 872107 [details]
patch which adds the testcase (might be also wrong)
SUSE-SU-2024:0517-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1218429 CVE References: CVE-2023-6879 Sources used: SUSE Linux Enterprise Real Time 15 SP4 (src): libaom-3.2.0-150400.3.3.1 openSUSE Leap 15.4 (src): libaom-3.2.0-150400.3.3.1 openSUSE Leap 15.5 (src): libaom-3.2.0-150400.3.3.1 Basesystem Module 15-SP5 (src): libaom-3.2.0-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. (In reply to Petr Gajdos from comment #11) > 3.7.0 reproduces the segfault > 3.7.1 fixes the segfault completely (even that one mentioned in comment 4) > > Backport of these following two commits to 3.2.0 does not suffice > > https://aomedia.googlesource.com/aom/+/ > 7ae7bef246e85c8f349513d668b4571c79a43c5c%5E! > https://aomedia.googlesource.com/aom/+/ > fcfdc09d81b122cd5e70f66dc55833065127bf47%5E! > > for me. Trying to backport theses commits related to the changes: https://aomedia.googlesource.com/aom/+/dc2c3eb26556636dbdae1fef9dbe624276544124 https://aomedia.googlesource.com/aom/+/f4db04befe03ca3ead84ef30a82a56437bd91a90 Doesn't fix the sigsegv either |