[Buildroot] [git commit] package/libvpx: Add upstream security patch to fix CVE-2023-5217
Peter Korsgaard
peter at korsgaard.com
Fri Sep 29 17:53:32 UTC 2023
commit: https://git.buildroot.net/buildroot/commit/?id=e99999d7cb1dca94d1073fc1b2db672152cd728b
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Fixes CVE_2023-5217: Heap buffer overflow in vp8 encoding in libvpx in
Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote
attacker to potentially exploit heap corruption via a crafted HTML page.
https://www.openwall.com/lists/oss-security/2023/09/28/5
Signed-off-by: Bernd Kuhls <bernd at kuhls.net>
[Peter: extend commit message, add _IGNORE_CVES]
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
.../0002-VP8-disallow-thread-count-changes.patch | 38 ++++++++++++++++++++++
package/libvpx/libvpx.mk | 3 ++
2 files changed, 41 insertions(+)
diff --git a/package/libvpx/0002-VP8-disallow-thread-count-changes.patch b/package/libvpx/0002-VP8-disallow-thread-count-changes.patch
new file mode 100644
index 0000000000..d625255a9f
--- /dev/null
+++ b/package/libvpx/0002-VP8-disallow-thread-count-changes.patch
@@ -0,0 +1,38 @@
+From 3fbd1dca6a4d2dad332a2110d646e4ffef36d590 Mon Sep 17 00:00:00 2001
+From: James Zern <jzern at google.com>
+Date: Mon, 25 Sep 2023 18:55:59 -0700
+Subject: [PATCH] VP8: disallow thread count changes
+
+Currently allocations are done at encoder creation time. Going from
+threaded to non-threaded would cause a crash.
+
+Bug: chromium:1486441
+Change-Id: Ie301c2a70847dff2f0daae408fbef1e4d42e73d4
+
+Fixes CVE-2023-5217: https://www.cve.org/CVERecord?id=CVE-2023-5217
+
+Upstream: https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590
+Upstream: https://chromium.googlesource.com/webm/libvpx/+/3fbd1dca6a4d2dad332a2110d646e4ffef36d590
+
+[Bernd: Removed patch for test/encode_api_test.cc]
+Signed-off-by: Bernd Kuhls <bernd at kuhls.net>
+---
+ vp8/encoder/onyx_if.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/vp8/encoder/onyx_if.c b/vp8/encoder/onyx_if.c
+index c65afc643bf..c5e9970c3cc 100644
+--- a/vp8/encoder/onyx_if.c
++++ b/vp8/encoder/onyx_if.c
+@@ -1447,6 +1447,11 @@ void vp8_change_config(VP8_COMP *cpi, VP8_CONFIG *oxcf) {
+ last_h = cpi->oxcf.Height;
+ prev_number_of_layers = cpi->oxcf.number_of_layers;
+
++ if (cpi->initial_width) {
++ // TODO(https://crbug.com/1486441): Allow changing thread counts; the
++ // allocation is done once in vp8_create_compressor().
++ oxcf->multi_threaded = cpi->oxcf.multi_threaded;
++ }
+ cpi->oxcf = *oxcf;
+
+ switch (cpi->oxcf.Mode) {
diff --git a/package/libvpx/libvpx.mk b/package/libvpx/libvpx.mk
index 67b25c9100..b558c41981 100644
--- a/package/libvpx/libvpx.mk
+++ b/package/libvpx/libvpx.mk
@@ -11,6 +11,9 @@ LIBVPX_LICENSE_FILES = LICENSE PATENTS
LIBVPX_CPE_ID_VENDOR = webmproject
LIBVPX_INSTALL_STAGING = YES
+# 0002-VP8-disallow-thread-count-changes.patch
+LIBVPX_IGNORE_CVES += CVE-2023-5217
+
# ld is being used with cc options. therefore, pretend ld is cc.
LIBVPX_CONF_ENV = \
LD="$(TARGET_CC)" \
More information about the buildroot
mailing list