Vulnerabilities > CVE-2010-4203 - Integer Overflow or Wraparound vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
WebM libvpx (aka the VP8 Codec SDK) before 0.9.5, as used in Google Chrome before 7.0.517.44, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via invalid frames.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2010-0999.NASL description From Red Hat Security Advisory 2010:0999 : Updated libvpx packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. An integer overflow flaw, leading to arbitrary memory writes, was found in libvpx. An attacker could create a specially crafted video encoded using the VP8 codec that, when played by a victim with an application using libvpx (such as Totem), would cause the application to crash or, potentially, execute arbitrary code. (CVE-2010-4203) All users of libvpx are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using libvpx must be restarted for the changes to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 68168 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68168 title Oracle Linux 6 : libvpx (ELSA-2010-0999) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2010:0999 and # Oracle Linux Security Advisory ELSA-2010-0999 respectively. # include("compat.inc"); if (description) { script_id(68168); script_version("1.8"); script_cvs_date("Date: 2019/10/25 13:36:09"); script_cve_id("CVE-2010-4203"); script_bugtraq_id(44771); script_xref(name:"RHSA", value:"2010:0999"); script_name(english:"Oracle Linux 6 : libvpx (ELSA-2010-0999)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2010:0999 : Updated libvpx packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. An integer overflow flaw, leading to arbitrary memory writes, was found in libvpx. An attacker could create a specially crafted video encoded using the VP8 codec that, when played by a victim with an application using libvpx (such as Totem), would cause the application to crash or, potentially, execute arbitrary code. (CVE-2010-4203) All users of libvpx are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using libvpx must be restarted for the changes to take effect." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2011-February/001858.html" ); script_set_attribute( attribute:"solution", value:"Update the affected libvpx packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvpx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvpx-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvpx-utils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/05"); script_set_attribute(attribute:"patch_publication_date", value:"2011/02/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL6", reference:"libvpx-0.9.0-8.el6_0")) flag++; if (rpm_check(release:"EL6", reference:"libvpx-devel-0.9.0-8.el6_0")) flag++; if (rpm_check(release:"EL6", reference:"libvpx-utils-0.9.0-8.el6_0")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvpx / libvpx-devel / libvpx-utils"); }
NASL family Scientific Linux Local Security Checks NASL id SL_20101220_LIBVPX_ON_SL6_X.NASL description An integer overflow flaw, leading to arbitrary memory writes, was found in libvpx. An attacker could create a specially crafted video encoded using the VP8 codec that, when played by a victim with an application using libvpx (such as Totem), would cause the application to crash or, potentially, execute arbitrary code. (CVE-2010-4203) After installing the update, all applications using libvpx must be restarted for the changes to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 60926 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60926 title Scientific Linux Security Update : libvpx on SL6.x i386/x86_64 NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201101-03.NASL description The remote host is affected by the vulnerability described in GLSA-201101-03 (libvpx: User-assisted execution of arbitrary code) libvpx is vulnerable to an integer overflow vulnerability when processing crafted VP8 video streams. Impact : A remote attacker could entice a user to open a specially crafted media file, possibly resulting in the execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 51533 published 2011-01-17 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51533 title GLSA-201101-03 : libvpx: User-assisted execution of arbitrary code NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1015-1.NASL description Christoph Diehl discovered that libvpx did not properly perform bounds checking. If an application using libvpx opened a specially crafted WebM file, an attacker could cause a denial of service or possibly execute code as the user invoking the program. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 50559 published 2010-11-11 reporter Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50559 title Ubuntu 10.10 : libvpx vulnerability (USN-1015-1) NASL family Fedora Local Security Checks NASL id FEDORA_2010-17893.NASL description Update to 0.9.5 and apply patch from upstream to resolve CVE-2010-4203 libvpx: memory corruption flaw. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 50834 published 2010-11-30 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50834 title Fedora 13 : libvpx-0.9.5-2.fc13 (2010-17893) NASL family Windows NASL id GOOGLE_CHROME_7_0_517_44.NASL description The version of Google Chrome installed on the remote host is earlier than 7.0.517.44. Such versions are reportedly affected by multiple vulnerabilities : - A use-after-free error exists in text editing. (Issue #51602) - A memory corruption error exists relating to enormous text area. (Issue #55257) - A bad cast exists with the SVG use element. (Issue #58657) - An invalid memory read exists in XPath handling. (Issue #58731) - A use-after-free error exists in text control selections. (Issue #58741) - A memory corruption issue exists in libvpx. (Issue #60055) - A bad use of a destroyed frame object exists. (Issue #60238) - Multiple type confusions exists with event objects. (Issue #60327, #60769, #61255) - An out-of-bounds array access exists in SVG handling. (Issue #60688) last seen 2020-06-01 modified 2020-06-02 plugin id 50476 published 2010-11-04 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50476 title Google Chrome < 7.0.517.44 Multiple Vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2011-11057.NASL description Update to libvpx 0.9.7-p1 Update to libvpx 0.9.7 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56146 published 2011-09-12 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56146 title Fedora 16 : libvpx-0.9.7.1-1.fc16 (2011-11057) NASL family Fedora Local Security Checks NASL id FEDORA_2010-17876.NASL description Update to 0.9.5 and apply patch from upstream to resolve CVE-2010-4203 libvpx: memory corruption flaw. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 50833 published 2010-11-30 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50833 title Fedora 14 : libvpx-0.9.5-2.fc14 (2010-17876) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0999.NASL description Updated libvpx packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. An integer overflow flaw, leading to arbitrary memory writes, was found in libvpx. An attacker could create a specially crafted video encoded using the VP8 codec that, when played by a victim with an application using libvpx (such as Totem), would cause the application to crash or, potentially, execute arbitrary code. (CVE-2010-4203) All users of libvpx are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using libvpx must be restarted for the changes to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 51354 published 2010-12-21 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51354 title RHEL 6 : libvpx (RHSA-2010:0999)
Oval
accepted | 2013-08-12T04:01:13.177-04:00 | ||||||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||||||
contributors |
| ||||||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||||||
description | WebM libvpx (aka the VP8 Codec SDK) before 0.9.5, as used in Google Chrome before 7.0.517.44, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via invalid frames. | ||||||||||||||||||||||||
family | windows | ||||||||||||||||||||||||
id | oval:org.mitre.oval:def:12198 | ||||||||||||||||||||||||
status | accepted | ||||||||||||||||||||||||
submitted | 2010-11-27T06:04:55 | ||||||||||||||||||||||||
title | Vulnerability in WebM libvpx (aka the VP8 Codec SDK) in Google Chrome before 7.0.517.44 | ||||||||||||||||||||||||
version | 51 |
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- http://code.google.com/p/chromium/issues/detail?id=60055
- http://code.google.com/p/chromium/issues/detail?id=60055
- http://googlechromereleases.blogspot.com/2010/11/stable-channel-update.html
- http://googlechromereleases.blogspot.com/2010/11/stable-channel-update.html
- http://review.webmproject.org/gitweb?p=libvpx.git%3Ba=blob%3Bf=CHANGELOG
- http://review.webmproject.org/gitweb?p=libvpx.git%3Ba=blob%3Bf=CHANGELOG
- http://review.webmproject.org/gitweb?p=libvpx.git%3Ba=commit%3Bh=09bcc1f710ea65dc158639479288fb1908ff0c53
- http://review.webmproject.org/gitweb?p=libvpx.git%3Ba=commit%3Bh=09bcc1f710ea65dc158639479288fb1908ff0c53
- http://secunia.com/advisories/42109
- http://secunia.com/advisories/42109
- http://secunia.com/advisories/42118
- http://secunia.com/advisories/42118
- http://secunia.com/advisories/42690
- http://secunia.com/advisories/42690
- http://secunia.com/advisories/42908
- http://secunia.com/advisories/42908
- http://security.gentoo.org/glsa/glsa-201101-03.xml
- http://security.gentoo.org/glsa/glsa-201101-03.xml
- http://www.vupen.com/english/advisories/2011/0115
- http://www.vupen.com/english/advisories/2011/0115
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12198
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12198
- https://rhn.redhat.com/errata/RHSA-2010-0999.html
- https://rhn.redhat.com/errata/RHSA-2010-0999.html