On Tue, May 27, 2025 at 10:52:40PM +0200, Salvatore Bonaccorso wrote:

Source: libvpx
Version: 1.12.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.15.0-2

Hi

The recent MFSA's for firefox mention the following issue as critical:

| A double-free could have occurred in vpx_codec_enc_init_multi after a
| failed allocation when initializing the encoder for WebRTC. This could
| have caused memory corruption and a potentially exploitable crash.

Cf. https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/

Fix is at: https://chromium.googlesource.com/webm/libvpx/+/1c758781c428c0e895645b95b8ff1512b6bdcecb

MR (for unstable) is at https://salsa.debian.org/multimedia-team/libvpx/-/merge_requests/5

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)