U radu programskog paketa libvpx uočen je sigurnosni propust. Riječ je o programskoj biblioteci koja se koristi za rad VP8 formata video kompresije. Propust je posljedica prepisivanja cjelobrojne vrijednosti, a očituje se prilikom obrade video zapisa. Zlonamjernom, udaljenom napadaču omogućuje izvođenje DoS (eng. Denial of Service) napada ili pokretanje proizvoljnog programskog koda putem neispravnih okvira (eng. frames). Svim se korisnicima, u svrhu zaštite, preporuča instalacija odgovarajućih sigurnosnih zakrpa.

Gentoo Linux Security Advisory                           GLSA 201101-03
  Severity: Normal
     Title: libvpx: User-assisted execution of arbitrary code
      Date: January 15, 2011
      Bugs: #345559
        ID: 201101-03

Timothy B. Terriberry discovered that libvpx contains an integer
overflow vulnerability in the processing of video streams that may
allow user-assisted execution of arbitrary code.


libvpx is the VP8 codec SDK used to encode and decode video streams,
typically within a WebM format media file.

Affected packages

     Package            /  Vulnerable  /                    Unaffected
  1  media-libs/libvpx       < 0.9.5                          >= 0.9.5


libvpx is vulnerable to an integer overflow vulnerability when
processing crafted VP8 video streams.


A remote attacker could entice a user to open a specially crafted media
file, possibly resulting in the execution of arbitrary code with the
privileges of the user running the application, or a Denial of Service.


There is no known workaround at this time.


All libvpx users should upgrade to the latest stable version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-libs/libvpx-0.9.5"

Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these


  [ 1 ] CVE-2010-4203


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:



