Bug 1220105

Summary: VUL-0: CVE-2024-1580: rav1e: dav1d: integer overflow when decoding videos with large frame size
Product: [Novell Products] SUSE Security Incidents Reporter: Andrea Mattiazzo <andrea.mattiazzo>
Component: IncidentsAssignee: Michael Gorse <mgorse>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo, gnome-bugs, security-team, smash_bz, yfjiang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/394507/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1220099    

Description Andrea Mattiazzo 2024-02-20 11:42:30 UTC 
An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. We recommend upgrading past version 1.4.0 of dav1d.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1580
https://www.cve.org/CVERecord?id=CVE-2024-1580
https://code.videolan.org/videolan/dav1d/-/blob/master/NEWS
https://code.videolan.org/videolan/dav1d/-/releases/1.4.0
https://bugzilla.redhat.com/show_bug.cgi?id=2264938

Patch:
https://code.videolan.org/videolan/dav1d/-/commit/2b475307dc11be9a1c3cc4358102c76a7f386a51
Comment 2 Yifan Jiang 2024-02-21 08:16:06 UTC 
Hello Mike, I put this under your name because I saw your name in the dav1d bugowner list. Can you please take a look? Thank you!
Comment 4 OBSbugzilla Bot 2024-02-21 14:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1220105) was mentioned in
https://build.opensuse.org/request/show/1148724 Factory / dav1d
Comment 8 Andrea Mattiazzo 2024-02-22 17:22:09 UTC 
Closing since package load system dependency and use dav1d only for testing purposes.