Accepting request 519848 from multimedia:libs

fix DoS attack vector OBS-URL: https://build.opensuse.org/request/show/519848 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvpx?expand=0&rev=33
2017-09-07 20:07:43 +00:00 · 2017-09-07 20:07:43 +00:00 · fd4e4931af
commit fd4e4931af
parent 76ffa0bc74 e326f99d37
2 changed files with 13 additions and 0 deletions
--- a/libvpx.changes
+++ b/libvpx.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Aug 31 06:26:03 UTC 2017 - adrian@suse.de
+
+- limit maximum size to 8K Fulldome resolution to avoid
+  DoS attacks. CVE-2017-0641 boo#1056539
+
 -------------------------------------------------------------------
 Fri Mar  3 09:25:31 UTC 2017 - tchvatal@suse.com

--- a/libvpx.spec
+++ b/libvpx.spec
@ -131,6 +131,13 @@ cd build
    --extra-cflags="-std=gnu89 -U_FORTIFY_SOURCE %{optflags}" \
    --extra-cxxflags="-U_FORTIFY_SOURCE %{optflags}" \
    --enable-pic
+# size-limit to avoid CVE-2017-0641 DoS attacks. The limit is the
+# 8K Fulldome resolution and should be enough for all current use cases
+# bso#1056539
+# the --size-limit switch is broken atm ...
+echo '#define DECODE_WIDTH_LIMIT 8192'  >> vpx_config.h
+echo '#define DECODE_HEIGHT_LIMIT 8192' >> vpx_config.h
+
 make %{?_smp_mflags} verbose=yes GEN_EXAMPLES=

 %install