Vulnerabilities > CVE-2010-4203 - Integer Overflow or Wraparound vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
google
webmproject
redhat
CWE-190
critical
nessus

Summary

WebM libvpx (aka the VP8 Codec SDK) before 0.9.5, as used in Google Chrome before 7.0.517.44, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via invalid frames.

Vulnerable Configurations

Part Description Count
Application
Google
782
Application
Webmproject
4
OS
Redhat
3

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2010-0999.NASL
    descriptionFrom Red Hat Security Advisory 2010:0999 : Updated libvpx packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. An integer overflow flaw, leading to arbitrary memory writes, was found in libvpx. An attacker could create a specially crafted video encoded using the VP8 codec that, when played by a victim with an application using libvpx (such as Totem), would cause the application to crash or, potentially, execute arbitrary code. (CVE-2010-4203) All users of libvpx are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using libvpx must be restarted for the changes to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id68168
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68168
    titleOracle Linux 6 : libvpx (ELSA-2010-0999)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2010:0999 and 
    # Oracle Linux Security Advisory ELSA-2010-0999 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(68168);
      script_version("1.8");
      script_cvs_date("Date: 2019/10/25 13:36:09");
    
      script_cve_id("CVE-2010-4203");
      script_bugtraq_id(44771);
      script_xref(name:"RHSA", value:"2010:0999");
    
      script_name(english:"Oracle Linux 6 : libvpx (ELSA-2010-0999)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2010:0999 :
    
    Updated libvpx packages that fix one security issue are now available
    for Red Hat Enterprise Linux 6.
    
    The Red Hat Security Response Team has rated this update as having
    moderate security impact. A Common Vulnerability Scoring System (CVSS)
    base score, which gives a detailed severity rating, is available from
    the CVE link in the References section.
    
    The libvpx packages provide the VP8 SDK, which allows the encoding and
    decoding of the VP8 video codec, commonly used with the WebM
    multimedia container file format.
    
    An integer overflow flaw, leading to arbitrary memory writes, was
    found in libvpx. An attacker could create a specially crafted video
    encoded using the VP8 codec that, when played by a victim with an
    application using libvpx (such as Totem), would cause the application
    to crash or, potentially, execute arbitrary code. (CVE-2010-4203)
    
    All users of libvpx are advised to upgrade to these updated packages,
    which contain a backported patch to correct this issue. After
    installing the update, all applications using libvpx must be restarted
    for the changes to take effect."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2011-February/001858.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libvpx packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvpx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvpx-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libvpx-utils");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/02/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL6", reference:"libvpx-0.9.0-8.el6_0")) flag++;
    if (rpm_check(release:"EL6", reference:"libvpx-devel-0.9.0-8.el6_0")) flag++;
    if (rpm_check(release:"EL6", reference:"libvpx-utils-0.9.0-8.el6_0")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvpx / libvpx-devel / libvpx-utils");
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20101220_LIBVPX_ON_SL6_X.NASL
    descriptionAn integer overflow flaw, leading to arbitrary memory writes, was found in libvpx. An attacker could create a specially crafted video encoded using the VP8 codec that, when played by a victim with an application using libvpx (such as Totem), would cause the application to crash or, potentially, execute arbitrary code. (CVE-2010-4203) After installing the update, all applications using libvpx must be restarted for the changes to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id60926
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60926
    titleScientific Linux Security Update : libvpx on SL6.x i386/x86_64
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201101-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201101-03 (libvpx: User-assisted execution of arbitrary code) libvpx is vulnerable to an integer overflow vulnerability when processing crafted VP8 video streams. Impact : A remote attacker could entice a user to open a specially crafted media file, possibly resulting in the execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id51533
    published2011-01-17
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/51533
    titleGLSA-201101-03 : libvpx: User-assisted execution of arbitrary code
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1015-1.NASL
    descriptionChristoph Diehl discovered that libvpx did not properly perform bounds checking. If an application using libvpx opened a specially crafted WebM file, an attacker could cause a denial of service or possibly execute code as the user invoking the program. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id50559
    published2010-11-11
    reporterUbuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50559
    titleUbuntu 10.10 : libvpx vulnerability (USN-1015-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-17893.NASL
    descriptionUpdate to 0.9.5 and apply patch from upstream to resolve CVE-2010-4203 libvpx: memory corruption flaw. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id50834
    published2010-11-30
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50834
    titleFedora 13 : libvpx-0.9.5-2.fc13 (2010-17893)
  • NASL familyWindows
    NASL idGOOGLE_CHROME_7_0_517_44.NASL
    descriptionThe version of Google Chrome installed on the remote host is earlier than 7.0.517.44. Such versions are reportedly affected by multiple vulnerabilities : - A use-after-free error exists in text editing. (Issue #51602) - A memory corruption error exists relating to enormous text area. (Issue #55257) - A bad cast exists with the SVG use element. (Issue #58657) - An invalid memory read exists in XPath handling. (Issue #58731) - A use-after-free error exists in text control selections. (Issue #58741) - A memory corruption issue exists in libvpx. (Issue #60055) - A bad use of a destroyed frame object exists. (Issue #60238) - Multiple type confusions exists with event objects. (Issue #60327, #60769, #61255) - An out-of-bounds array access exists in SVG handling. (Issue #60688)
    last seen2020-06-01
    modified2020-06-02
    plugin id50476
    published2010-11-04
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/50476
    titleGoogle Chrome < 7.0.517.44 Multiple Vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2011-11057.NASL
    descriptionUpdate to libvpx 0.9.7-p1 Update to libvpx 0.9.7 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id56146
    published2011-09-12
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56146
    titleFedora 16 : libvpx-0.9.7.1-1.fc16 (2011-11057)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-17876.NASL
    descriptionUpdate to 0.9.5 and apply patch from upstream to resolve CVE-2010-4203 libvpx: memory corruption flaw. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id50833
    published2010-11-30
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50833
    titleFedora 14 : libvpx-0.9.5-2.fc14 (2010-17876)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2010-0999.NASL
    descriptionUpdated libvpx packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. An integer overflow flaw, leading to arbitrary memory writes, was found in libvpx. An attacker could create a specially crafted video encoded using the VP8 codec that, when played by a victim with an application using libvpx (such as Totem), would cause the application to crash or, potentially, execute arbitrary code. (CVE-2010-4203) All users of libvpx are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, all applications using libvpx must be restarted for the changes to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id51354
    published2010-12-21
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51354
    titleRHEL 6 : libvpx (RHSA-2010:0999)

Oval

accepted2013-08-12T04:01:13.177-04:00
classvulnerability
contributors
  • nameSecPod Team
    organizationSecPod Technologies
  • nameShane Shaffer
    organizationG2, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
  • nameMaria Kedovskaya
    organizationALTX-SOFT
definition_extensions
commentGoogle Chrome is installed
ovaloval:org.mitre.oval:def:11914
descriptionWebM libvpx (aka the VP8 Codec SDK) before 0.9.5, as used in Google Chrome before 7.0.517.44, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via invalid frames.
familywindows
idoval:org.mitre.oval:def:12198
statusaccepted
submitted2010-11-27T06:04:55
titleVulnerability in WebM libvpx (aka the VP8 Codec SDK) in Google Chrome before 7.0.517.44
version51

Redhat

advisories
bugzilla
id651213
titleCVE-2010-4203 libvpx: memory corruption flaw
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 6 is installed
      ovaloval:com.redhat.rhba:tst:20111656003
    • OR
      • AND
        • commentlibvpx is earlier than 0:0.9.0-8.el6_0
          ovaloval:com.redhat.rhsa:tst:20100999001
        • commentlibvpx is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100999002
      • AND
        • commentlibvpx-utils is earlier than 0:0.9.0-8.el6_0
          ovaloval:com.redhat.rhsa:tst:20100999003
        • commentlibvpx-utils is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100999004
      • AND
        • commentlibvpx-devel is earlier than 0:0.9.0-8.el6_0
          ovaloval:com.redhat.rhsa:tst:20100999005
        • commentlibvpx-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100999006
rhsa
idRHSA-2010:0999
released2010-12-20
severityModerate
titleRHSA-2010:0999: libvpx security update (Moderate)
rpms
  • libvpx-0:0.9.0-8.el6_0
  • libvpx-debuginfo-0:0.9.0-8.el6_0
  • libvpx-devel-0:0.9.0-8.el6_0
  • libvpx-utils-0:0.9.0-8.el6_0