Lucene search

Gentoo FoundationMGASA-2024-0221

HistoryJun 14, 2024 - 8:30 p.m.

Updated libvpx packages fix security vulnerabilities

2024-06-1420:30:25

Gentoo Foundation

advisories.mageia.org

libvpx

integer overflows

security vulnerabilities

package update

cve-2024-5197

unix

5.9 Medium

CVSS4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

PASSIVE

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/SC:L/VI:H/SI:L/VA:N/SA:N

7.3 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

JSON

There exists integer overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. (CVE-2024-5197)

OSVersionArchitecturePackageVersionFilename
Mageia9noarchlibvpx< 1.12.0-1.3libvpx-1.12.0-1.3.mga9

OS	Version	Architecture	Package	Version	Filename
Mageia	9	noarch	libvpx	< 1.12.0-1.3	libvpx-1.12.0-1.3.mga9

References

bugs.mageia.org/show_bug.cgi?id=33281

ubuntu.com/security/notices/USN-6814-1