Executive Summary
Summary | |
---|---|
Title | libvpx security update |
Informations | |||
---|---|---|---|
Name | RHSA-2010:0999 | First vendor Publication | 2010-12-20 |
Vendor | RedHat | Last vendor Modification | 2010-12-20 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated libvpx packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. An integer overflow flaw, leading to arbitrary memory writes, was found in libvpx. An attacker could create a specially-crafted video encoded using the VP8 codec that, when played by a victim with an application using libvpx (such as Totem), would cause the application to crash or, potentially, execute arbitrary code. (CVE-2010-4203) All users of libvpx are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using libvpx must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 651213 - CVE-2010-4203 libvpx: memory corruption flaw |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2010-0999.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-190 | Integer Overflow or Wraparound (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:12198 | |||
Oval ID: | oval:org.mitre.oval:def:12198 | ||
Title: | Vulnerability in WebM libvpx (aka the VP8 Codec SDK) in Google Chrome before 7.0.517.44 | ||
Description: | WebM libvpx (aka the VP8 Codec SDK) before 0.9.5, as used in Google Chrome before 7.0.517.44, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via invalid frames. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2010-4203 | Version: | 14 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows 7 | Product(s): | Google Chrome |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:12758 | |||
Oval ID: | oval:org.mitre.oval:def:12758 | ||
Title: | USN-1015-1 -- libvpx vulnerability | ||
Description: | Christoph Diehl discovered that libvpx did not properly perform bounds checking. If an application using libvpx opened a specially crafted WebM file, an attacker could cause a denial of service or possibly execute code as the user invoking the program. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1015-1 CVE-2010-4203 | Version: | 5 |
Platform(s): | Ubuntu 10.10 | Product(s): | libvpx |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22286 | |||
Oval ID: | oval:org.mitre.oval:def:22286 | ||
Title: | RHSA-2010:0999: libvpx security update (Moderate) | ||
Description: | WebM libvpx (aka the VP8 Codec SDK) before 0.9.5, as used in Google Chrome before 7.0.517.44, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via invalid frames. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2010:0999-01 CVE-2010-4203 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 6 | Product(s): | libvpx |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23335 | |||
Oval ID: | oval:org.mitre.oval:def:23335 | ||
Title: | ELSA-2010:0999: libvpx security update (Moderate) | ||
Description: | WebM libvpx (aka the VP8 Codec SDK) before 0.9.5, as used in Google Chrome before 7.0.517.44, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via invalid frames. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010:0999-01 CVE-2010-4203 | Version: | 6 |
Platform(s): | Oracle Linux 6 | Product(s): | libvpx |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27598 | |||
Oval ID: | oval:org.mitre.oval:def:27598 | ||
Title: | DEPRECATED: ELSA-2010-0999 -- libvpx security update (moderate) | ||
Description: | [0.9.0-8] - Fix CVE-2010-4203 Resolves: rhbz#652440 [0.9.0-7] - Import 0.9.0-6 package from Fedora - Add patch porting yasm syntax to gas Related: rhbz#603113 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010-0999 CVE-2010-4203 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | libvpx |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-04-02 | Name : Fedora Update for libvpx FEDORA-2011-11057 File : nvt/gb_fedora_2011_11057_libvpx_fc16.nasl |
2011-03-09 | Name : Gentoo Security Advisory GLSA 201101-03 (libvpx) File : nvt/glsa_201101_03.nasl |
2010-12-09 | Name : Fedora Update for libvpx FEDORA-2010-17876 File : nvt/gb_fedora_2010_17876_libvpx_fc14.nasl |
2010-12-09 | Name : Fedora Update for libvpx FEDORA-2010-17893 File : nvt/gb_fedora_2010_17893_libvpx_fc13.nasl |
2010-11-23 | Name : Ubuntu Update for libvpx vulnerability USN-1015-1 File : nvt/gb_ubuntu_USN_1015_1.nasl |
2010-11-18 | Name : Google Chrome multiple vulnerabilities - November 10(Linux) File : nvt/gb_google_chrome_mult_vuln_nov10_lin.nasl |
2010-11-18 | Name : Google Chrome multiple vulnerabilities - November 10(Windows) File : nvt/gb_google_chrome_mult_vuln_nov10_win.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
69169 | Google Chrome WebM libvpx Unspecified Memory Corruption A memory corruption flaw exists in Google Chrome. The WebM libvpx component fails to sanitize user-supplied input when processing invalid frames, resulting in memory corruption. This may allow a context-dependent attacker to cause a denial of service or have other unspecified impact. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0999.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20101220_libvpx_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2011-09-12 | Name : The remote Fedora host is missing a security update. File : fedora_2011-11057.nasl - Type : ACT_GATHER_INFO |
2011-01-17 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201101-03.nasl - Type : ACT_GATHER_INFO |
2010-12-21 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0999.nasl - Type : ACT_GATHER_INFO |
2010-11-30 | Name : The remote Fedora host is missing a security update. File : fedora_2010-17876.nasl - Type : ACT_GATHER_INFO |
2010-11-30 | Name : The remote Fedora host is missing a security update. File : fedora_2010-17893.nasl - Type : ACT_GATHER_INFO |
2010-11-11 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1015-1.nasl - Type : ACT_GATHER_INFO |
2010-11-04 | Name : The remote host contains a web browser that is affected by multiple vulnerabi... File : google_chrome_7_0_517_44.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:54:12 |
|