Bug 1225879 (CVE-2024-5197) - VUL-0: CVE-2024-5197: libvpx: interger overflow when calling vpx_img_alloc() or vpx_img_wrap() with large parameters
Summary: VUL-0: CVE-2024-5197: libvpx: interger overflow when calling vpx_img_alloc() ...
Status: REOPENED
Alias: CVE-2024-5197
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Adrian Schröter
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/408518/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-5197:7.8:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-06-03 18:21 UTC by SMASH SMASH
Modified: 2024-07-11 20:30 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-06-03 18:21:28 UTC 
There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-5197
https://www.cve.org/CVERecord?id=CVE-2024-5197
https://g-issues.chromium.org/issues/332382766
Comment 1 Camila Camargo de Matos 2024-06-03 18:23:45 UTC 
The patch for this issue, available at https://chromium-review.googlesource.com/c/webm/libvpx/+/5555763, seems to indicate that the issue was introduced by commit 2e32276 (available at https://chromium-review.googlesource.com/c/webm/libvpx/+/5446333).
Comment 4 Camila Camargo de Matos 2024-06-03 18:48:29 UTC 
(In reply to Camila Camargo de Matos from comment #1)
> The patch for this issue, available at
> https://chromium-review.googlesource.com/c/webm/libvpx/+/5555763, seems to
> indicate that the issue was introduced by commit 2e32276 (available at
> https://chromium-review.googlesource.com/c/webm/libvpx/+/5446333).

The above analysis is incorrect. The patch for this issue is actually commit 2e32276 [0]. However, this commit introduced a bug, which was then fixed by commit 74c70af [1]. Therefore, if the fix for this issue is to be applied, then the changes from commit 74c70af [1] should also be applied in order to avoid the introduction of a new bug together with the security fix.

Apologies for the previously incorrect information provided.

[0] https://chromium-review.googlesource.com/c/webm/libvpx/+/5446333
[1] https://chromium-review.googlesource.com/c/webm/libvpx/+/5555763
Comment 5 Camila Camargo de Matos 2024-06-03 19:08:11 UTC 
(In reply to Camila Camargo de Matos from comment #4)
> The patch for this issue is actually commit 2e32276 [0].
> 
> [0] https://chromium-review.googlesource.com/c/webm/libvpx/+/5446333

Commits 06af417 [1] also seems to be a part of the fix for this issue. I am not sure if commits 8b2f8ba [2] and 7d37ffa [3] are also a part of the fix as they are not referenced in the Chromium issue, however, it looks like they were commited to the upstream code in the same day as said fix. The former looks like it is simply refactoring of the code.

[1] https://chromium-review.googlesource.com/c/webm/libvpx/+/5446418
[2] https://github.com/webmproject/libvpx/commit/8b2f8baee5acdc579b90a72e6ea787d4103b462e
[3] https://github.com/webmproject/libvpx/commit/7d37ffacc6f7c45554b48ca867be4223248f1ed6
Comment 8 Adrian Schröter 2024-07-03 15:43:02 UTC 
request 337239 for SP4, I have no test case though. Not sure if this is really enough.

I will try to double check, but please do also on your side.
Comment 10 Adrian Schröter 2024-07-03 17:57:13 UTC 
request 337250 for SLE-15-SP0
Comment 14 Maintenance Automation 2024-07-11 12:30:14 UTC 
SUSE-SU-2024:2409-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216879, 1225403, 1225879
CVE References: CVE-2023-44488, CVE-2023-6349, CVE-2024-5197
Maintenance Incident: [SUSE:Maintenance:34567](https://smelt.suse.de/incident/34567/)
Sources used:
SUSE Manager Server 4.3 (src):
 libvpx-1.11.0-150400.3.7.1
openSUSE Leap 15.4 (src):
 libvpx-1.11.0-150400.3.7.1
openSUSE Leap 15.5 (src):
 libvpx-1.11.0-150400.3.7.1
openSUSE Leap 15.6 (src):
 libvpx-1.11.0-150400.3.7.1
Basesystem Module 15-SP5 (src):
 libvpx-1.11.0-150400.3.7.1
Basesystem Module 15-SP6 (src):
 libvpx-1.11.0-150400.3.7.1
SUSE Package Hub 15 15-SP5 (src):
 libvpx-1.11.0-150400.3.7.1
SUSE Package Hub 15 15-SP6 (src):
 libvpx-1.11.0-150400.3.7.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 libvpx-1.11.0-150400.3.7.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 libvpx-1.11.0-150400.3.7.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 libvpx-1.11.0-150400.3.7.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 libvpx-1.11.0-150400.3.7.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 libvpx-1.11.0-150400.3.7.1
SUSE Manager Proxy 4.3 (src):
 libvpx-1.11.0-150400.3.7.1
SUSE Manager Retail Branch Server 4.3 (src):
 libvpx-1.11.0-150400.3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Maintenance Automation 2024-07-11 20:30:07 UTC 
SUSE-SU-2024:2408-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1225403, 1225879
CVE References: CVE-2023-6349, CVE-2024-5197
Maintenance Incident: [SUSE:Maintenance:34569](https://smelt.suse.de/incident/34569/)
Sources used:
Desktop Applications Module 15-SP5 (src):
 libvpx-1.6.1-150000.6.16.1
Desktop Applications Module 15-SP6 (src):
 libvpx-1.6.1-150000.6.16.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 libvpx-1.6.1-150000.6.16.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 libvpx-1.6.1-150000.6.16.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 libvpx-1.6.1-150000.6.16.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 libvpx-1.6.1-150000.6.16.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 libvpx-1.6.1-150000.6.16.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 libvpx-1.6.1-150000.6.16.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 libvpx-1.6.1-150000.6.16.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 libvpx-1.6.1-150000.6.16.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 libvpx-1.6.1-150000.6.16.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 libvpx-1.6.1-150000.6.16.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 libvpx-1.6.1-150000.6.16.1
SUSE Enterprise Storage 7.1 (src):
 libvpx-1.6.1-150000.6.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.