From 6022329ad94cac589c0388f60557e6af40a86d4c1755a3a0f1ac27e36ae2ad1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Thu, 31 Aug 2017 06:26:51 +0000 Subject: [PATCH 1/2] update OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libvpx?expand=0&rev=79 --- libvpx.changes | 6 ++++++ libvpx.spec | 6 +++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/libvpx.changes b/libvpx.changes index 7691704..fb5b7c8 100644 --- a/libvpx.changes +++ b/libvpx.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Aug 31 06:26:03 UTC 2017 - adrian@suse.de + +- limit maximum size to 8K Fulldome resolution to avoid + DoS attacks. CVE-2017-0641 boo#1056539 + ------------------------------------------------------------------- Fri Mar 3 09:25:31 UTC 2017 - tchvatal@suse.com diff --git a/libvpx.spec b/libvpx.spec index bfccdca..518f0cb 100644 --- a/libvpx.spec +++ b/libvpx.spec @@ -130,7 +130,11 @@ cd build %endif --extra-cflags="-std=gnu89 -U_FORTIFY_SOURCE %{optflags}" \ --extra-cxxflags="-U_FORTIFY_SOURCE %{optflags}" \ - --enable-pic + --enable-pic \ + --size-limit=8192×8192 +# size-limit to avoid CVE-2017-0641 DoS attacks. The limit is the +# 8K Fulldome resolution and should be enough for all current use cases +# bso#1056539 make %{?_smp_mflags} verbose=yes GEN_EXAMPLES= %install From e326f99d37b1efc5c296e99241ae1d89cf31375d26a34cdca69d5dd781dd5872 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Thu, 31 Aug 2017 06:33:37 +0000 Subject: [PATCH 2/2] fix OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libvpx?expand=0&rev=80 --- libvpx.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libvpx.spec b/libvpx.spec index 518f0cb..e60fe58 100644 --- a/libvpx.spec +++ b/libvpx.spec @@ -130,11 +130,14 @@ cd build %endif --extra-cflags="-std=gnu89 -U_FORTIFY_SOURCE %{optflags}" \ --extra-cxxflags="-U_FORTIFY_SOURCE %{optflags}" \ - --enable-pic \ - --size-limit=8192×8192 + --enable-pic # size-limit to avoid CVE-2017-0641 DoS attacks. The limit is the # 8K Fulldome resolution and should be enough for all current use cases # bso#1056539 +# the --size-limit switch is broken atm ... +echo '#define DECODE_WIDTH_LIMIT 8192' >> vpx_config.h +echo '#define DECODE_HEIGHT_LIMIT 8192' >> vpx_config.h + make %{?_smp_mflags} verbose=yes GEN_EXAMPLES= %install