Bugzilla – Bug 1021517
VUL-0: CVE-2016-8710: libbpg: Image Decoding Code Execution [TALOS-2016-0223]
Last modified: 2017-02-06 17:46:18 UTC
Refs: ================================================================================= [1] http://blog.talosintel.com/2017/01/vulnerability-spotlight-libbpg-image.html (Vulnerability Spotlight - LibBPG Image Decoding Code Execution) [2] http://www.talosintelligence.com/reports/TALOS-2016-0223/ (Libbpg BGP image decoding Code Execution Vulnerability) ================================================================================= [1] Known vulnerable versions: Libbpg - 0.9.4 and 0.9.7 https://software.opensuse.org/package/libbpg -- TW, 42.1|2, 13.2: 0.9.7. BPG Specification: http://bellard.org/bpg/bpg_spec.txt [2] Technical details (Crash Information chapter) and patch info (Mitigation chapter). In particular, pay, please, attention here on phrase -- "The following patch will fix the vulnerability, but it is untested as to whether it breaks any legitimate images."
bugbot adjusting priority
only in graphics/libbpg
As Marcus already noted libbpg is only existing in the graphics/libbpg devel package, not part of any openSUSE version. This will not be maintained by us. You may fix the bug, however, on your own devices.
Author contacted, waiting for an official statement.
Update: the author writes that he's not going to address the problem for the time being. Secondly, the patch itself appears to be a backport from the official libavcodec, but once applied, libbpg doesn't build anymore. If the reporter or anyone else wishes to give it a try, they're very welcome to. Regards
WONTFIX