guix_mirror_bot pushed a commit to branch master
in repository guix.
commit c7d570ae7fe97a797e9f0b074090ccde50349086
Author: Mark H Weaver <m...@netris.org>
AuthorDate: Tue May 27 10:35:19 2025 -0400
gnu: libvpx: Fix CVE-2025-5262.
* gnu/packages/video.scm (libvpx) [replacement]: New field.
(libvpx/fixed): New variable.
* gnu/packages/patches/libvpx-CVE-2025-5262.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
---
gnu/local.mk | 1 +
gnu/packages/patches/libvpx-CVE-2025-5262.patch | 75 +++++++++++++++++++++++++
gnu/packages/video.scm | 8 ++-
3 files changed, 83 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index fab64f55eb..f534768c2d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1788,6 +1788,7 @@ dist_patch_DATA =
\
%D%/packages/patches/libutils-remove-damaging-includes.patch \
%D%/packages/patches/libvdpau-va-gl-unbundle.patch \
%D%/packages/patches/libvpx-CVE-2016-2818.patch \
+ %D%/packages/patches/libvpx-CVE-2025-5262.patch \
%D%/packages/patches/libxcrypt-hurd64.patch \
%D%/packages/patches/libxml2-xpath0-Add-option-xpath0.patch \
%D%/packages/patches/libwpd-gcc-compat.patch \
diff --git a/gnu/packages/patches/libvpx-CVE-2025-5262.patch
b/gnu/packages/patches/libvpx-CVE-2025-5262.patch
new file mode 100644
index 0000000000..413487126b
--- /dev/null
+++ b/gnu/packages/patches/libvpx-CVE-2025-5262.patch
@@ -0,0 +1,75 @@
+Copied from
<https://chromium.googlesource.com/webm/libvpx/+/1c758781c428c0e895645b95b8ff1512b6bdcecb%5E%21/>
+See also:
<https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/#CVE-2025-5262>
+ and:
<https://hg-edge.mozilla.org/releases/mozilla-esr128/rev/69f53ce5ef0bca2816a3b13cae570e835938c010>
+
+Author: James Zern <jz...@google.com> Thu May 01 02:28:48 2025
+
+vpx_codec_enc_init_multi: fix double free on init failure
+
+In `vp8e_init()`, the encoder would take ownership of
+`mr_cfg.mr_low_res_mode_info` even if `vp8_create_compressor()` failed.
+This caused confusion at the call site as other failures in
+`vp8e_init()` did not result in ownership transfer and the caller would
+free the memory. In the case of `vp8_create_compressor()` failure both
+the caller and `vpx_codec_destroy()` would free the memory, causing a
+crash. `mr_*` related variables are now cleared on failure to prevent
+this situation.
+
+Bug: webm:413411335
+Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1962421
+Change-Id: Ie951d42b9029a586bf9059b650bd8863db9f9ffc
+
+--- a/vp8/vp8_cx_iface.c
++++ b/vp8/vp8_cx_iface.c
+@@ -727,17 +727,27 @@ static vpx_codec_err_t vp8e_init(vpx_cod
+ priv->pts_offset_initialized = 0;
+ priv->timestamp_ratio.den = priv->cfg.g_timebase.den;
+ priv->timestamp_ratio.num = (int64_t)priv->cfg.g_timebase.num;
+ priv->timestamp_ratio.num *= TICKS_PER_SEC;
+ reduce_ratio(&priv->timestamp_ratio);
+
+ set_vp8e_config(&priv->oxcf, priv->cfg, priv->vp8_cfg, mr_cfg);
+ priv->cpi = vp8_create_compressor(&priv->oxcf);
+- if (!priv->cpi) res = VPX_CODEC_MEM_ERROR;
++ if (!priv->cpi) {
++#if CONFIG_MULTI_RES_ENCODING
++ // Release ownership of mr_cfg->mr_low_res_mode_info on failure. This
++ // prevents ownership confusion with the caller and avoids a double
++ // free when vpx_codec_destroy() is called on this instance.
++ priv->oxcf.mr_total_resolutions = 0;
++ priv->oxcf.mr_encoder_id = 0;
++ priv->oxcf.mr_low_res_mode_info = NULL;
++#endif
++ res = VPX_CODEC_MEM_ERROR;
++ }
+ }
+ }
+
+ return res;
+ }
+
+ static vpx_codec_err_t vp8e_destroy(vpx_codec_alg_priv_t *ctx) {
+ #if CONFIG_MULTI_RES_ENCODING
+--- a/vpx/src/vpx_encoder.c
++++ b/vpx/src/vpx_encoder.c
+@@ -109,16 +109,19 @@ vpx_codec_err_t vpx_codec_enc_init_multi
+ mr_cfg.mr_down_sampling_factor.num = dsf->num;
+ mr_cfg.mr_down_sampling_factor.den = dsf->den;
+
+ ctx->iface = iface;
+ ctx->name = iface->name;
+ ctx->priv = NULL;
+ ctx->init_flags = flags;
+ ctx->config.enc = cfg;
++ // ctx takes ownership of mr_cfg.mr_low_res_mode_info if and only if
++ // this call succeeds. The first ctx entry in the array is
++ // responsible for freeing the memory.
+ res = ctx->iface->init(ctx, &mr_cfg);
+ }
+
+ if (res) {
+ const char *error_detail = ctx->priv ? ctx->priv->err_detail : NULL;
+ /* Destroy current ctx */
+ ctx->err_detail = error_detail;
+ vpx_codec_destroy(ctx);
+
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 7e72b4b2b5..f8acd116d5 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -1,7 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014, 2015, 2016 Andreas Enge <andr...@enge.fr>
;;; Copyright © 2014, 2015, 2016 David Thompson <da...@gnu.org>
-;;; Copyright © 2014, 2015, 2016, 2018, 2020 Mark H Weaver <m...@netris.org>
+;;; Copyright © 2014-2016, 2018, 2020, 2025 Mark H Weaver <m...@netris.org>
;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayi...@gmail.com>
;;; Copyright © 2015-2024 Efraim Flashner <efr...@flashner.co.il>
;;; Copyright © 2015, 2016 Andy Patterson <ajpat...@uwaterloo.ca>
@@ -2892,6 +2892,7 @@ To load this plugin, specify the following option when
starting mpv:
(package
(name "libvpx")
(version "1.15.0")
+ (replacement libvpx/fixed)
(source (origin
(method git-fetch)
(uri (git-reference
@@ -2930,6 +2931,11 @@ To load this plugin, specify the following option when
starting mpv:
(license license:bsd-3)
(home-page "https://www.webmproject.org/";)))
+(define-public libvpx/fixed
+ (hidden-package
+ (package-with-extra-patches libvpx
+ (search-patches "libvpx-CVE-2025-5262.patch"))))
+
(define-public orfondl
(package
(name "orfondl")
