CVE-2024-5197

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-5197
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-5197.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-5197
Related
Published
2024-06-03T14:15:09Z
Modified
2024-09-11T05:04:38.542725Z
Summary
[none]
Details

There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpximgalloc() with a large value of the dw, dh, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpximaget struct may be invalid. Calling vpximgwrap() with a large value of the dw, dh, or stridealign parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpximage_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond

References

Affected packages

Debian:11 / libvpx

Package

Name
libvpx
Purl
pkg:deb/debian/libvpx?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.0-1+deb11u3

Affected versions

1.*

1.9.0-1
1.9.0-1+deb11u1
1.9.0-1+deb11u2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / libvpx

Package

Name
libvpx
Purl
pkg:deb/debian/libvpx?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.12.0-1+deb12u3

Affected versions

1.*

1.12.0-1
1.12.0-1+deb12u1
1.12.0-1+deb12u2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / libvpx

Package

Name
libvpx
Purl
pkg:deb/debian/libvpx?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.14.1-1

Affected versions

1.*

1.12.0-1
1.12.0-1.1
1.12.0-1.2
1.13.1-1
1.13.1-2
1.14.0-1
1.14.0-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}