Bugzilla – Bug 1193356
VUL-0: CVE-2020-36129: libaom: AOM v2.0.1 was discovered to contain a stack buffer overflow via the component src/aom_image.c.
Last modified: 2022-03-25 09:15:43 UTC
CVE-2020-36129 AOM v2.0.1 was discovered to contain a stack buffer overflow via the component src/aom_image.c. Upstream fix commit: https://aomedia.googlesource.com/aom/+/94bcbfe76b0fd5b8ac03645082dc23a88730c949%5E%21/#F0 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36129 https://bugs.chromium.org/p/aomedia/issues/detail?id=2912&q=&can=1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36129 http://www.cvedetails.com/cve/CVE-2020-36129/
Affected codestream: - SUSE:SLE-15-SP2:Update
Why I am the assignee of this bug? I will probably take over, however the maintainer is different.
Thanks for handling this issue Petr. No bugowner is assigned in {I,O}BS, but I saw that you submitted patches in liboam in the past. That's why I assigned this bug to you. If you think someone else should be assigned instead, feel free to change. (a few more bugs will come soon)
$ isc maintainer libaom Defined in package: SUSE:SLE-15-SP2:GA/libaom bugowner of libaom : group:coldpool maintainer of libaom : - $ Please get familiar with cold pool project.
Reassigning to appropriate assignee.
I'll try to take over.
No segfault reproduced for 15sp2/libaom: :/193356 # aomenc --pass=2 --usage=1 -o /dev/null ./poc3 Warning: Assuming --pass=2 implies --passes=2 Fatal: Failed to get config: Invalid parameter :/193356 # Had not tried ASAN.
Package 15sp2/libaom submitted.
Thanks for having submitted a fix even without clear reproducer.
SUSE-SU-2021:4170-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1193356,1193365,1193366,1193369 CVE References: CVE-2020-36129,CVE-2020-36130,CVE-2020-36131,CVE-2020-36135 JIRA References: Sources used: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): libaom-1.0.0-3.9.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): libaom-1.0.0-3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:4170-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1193356,1193365,1193366,1193369 CVE References: CVE-2020-36129,CVE-2020-36130,CVE-2020-36131,CVE-2020-36135 JIRA References: Sources used: openSUSE Leap 15.3 (src): libaom-1.0.0-3.9.1
openSUSE-SU-2021:1624-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1193356,1193365,1193366,1193369 CVE References: CVE-2020-36129,CVE-2020-36130,CVE-2020-36131,CVE-2020-36135 JIRA References: Sources used: openSUSE Leap 15.2 (src): libaom-1.0.0-lp152.3.9.1
done