Bug 1075992 – VUL-0: CVE-2017-13194: libvpx: A vulnerability in the Android media framework (libvpx) related to odd framewidth. Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID:A-64710201.

Bug 1075992 - (CVE-2017-13194) VUL-0: CVE-2017-13194: libvpx: A vulnerability in the Android media framework (libvpx) related to odd framewidth. Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID:A-64710201.

(CVE-2017-13194)
Summary:	VUL-0: CVE-2017-13194: libvpx: A vulnerability in the Android media framework...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Adrian Schröter
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/198213/
Whiteboard:	CVSSv3:SUSE:CVE-2017-13194:5.6:(AV:N/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-01-15 13:22 UTC by Matthias Gerstner
Modified:	2018-01-25 11:30 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Gerstner 2018-01-15 13:22:48 UTC

CVE-2017-13194

A vulnerability in the Android media framework (libvpx) related to odd frame
width. Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID:
A-64710201.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13194
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13194.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13194
https://android.googlesource.com/platform/external/libvpx/+/55cd1dd7c8d0a3de907d22e0f12718733f4e41d9

Comment 1 Matthias Gerstner 2018-01-15 13:24:45 UTC

The only maintained codestream seems affected in

  SUSE:SLE-12:Update/libvpx/libvpx-1.3.0/vpx/src/vpx_image.c:150

The code in our version looks different but the allocation logic regarding
buffer size is the same.

Comment 4 Swamp Workflow Management 2018-01-23 17:20:09 UTC

SUSE-SU-2018:0181-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1075992
CVE References: CVE-2017-13194
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    libvpx-1.3.0-3.3.1
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    libvpx-1.3.0-3.3.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libvpx-1.3.0-3.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libvpx-1.3.0-3.3.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libvpx-1.3.0-3.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    libvpx-1.3.0-3.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    libvpx-1.3.0-3.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libvpx-1.3.0-3.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libvpx-1.3.0-3.3.1

Comment 5 Swamp Workflow Management 2018-01-25 11:07:46 UTC

openSUSE-SU-2018:0210-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1075992
CVE References: CVE-2017-13194
Sources used:
openSUSE Leap 42.3 (src):    libvpx-1.3.0-8.1
openSUSE Leap 42.2 (src):    libvpx-1.3.0-5.3.1

Comment 6 Marcus Meissner 2018-01-25 11:30:19 UTC

reeased