Bugzilla – Bug 972021
VUL-0: CVE-2016-1621: libvpx: remote code execution via crafted media file
Last modified: 2018-07-18 14:43:49 UTC
CVE-2016-1621 libvpx in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.0 before 2016-03-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, related to libwebm/mkvparser.cpp and other files, aka internal bug 23452792. References: https://bugzilla.redhat.com/show_bug.cgi?id=1318185 https://android.googlesource.com/platform/frameworks/av/+/5a6788730acfc6fd8f4a6ef89d2c376572a26b55 https://android.googlesource.com/platform/external/libvpx/+/5a9753fca56f0eeb9f61e342b2fccffc364f9426 https://android.googlesource.com/platform/external/libvpx/+/04839626ed859623901ebd3a5fd483982186b59d The code is apparetnly not in 1.3.0 libvpx, which is in SLE12. -> not affected. openSUSE 13.2 and 42.1 have 1.3.0 too, so not affected. Only openSUSE Factory seems to have the affected libwebm/ code.
bugbot adjusting priority
There is not official fix for 1.5.0 from upstream. The android patches are quite large, containing other stuff and are for 1.4.0. Due to the nature of factory I have decided to update the package to current git master instead. I hope there will be a new release soon. The testcases inside of the package got enabled now to have some test coverage at least. request 377160
This is an autogenerated message for OBS integration: This bug (972021) was mentioned in https://build.opensuse.org/request/show/377649 Factory / libvpx
This is an autogenerated message for OBS integration: This bug (972021) was mentioned in https://build.opensuse.org/request/show/623663 15.0+42.3+Backports:SLE-12-SP2 / chromium+codec2+ffmpeg-2+ffmpeg-3+ffmpeg-4+libsodium+libvpx-1_6+zeromq