LAYER: meta-oe
PACKAGE NAME: libvpx
PACKAGE VERSION: 1.14.1
CVE: CVE-2010-4203
CVE STATUS: Patched
CVE SUMMARY: WebM libvpx (aka the VP8 Codec SDK) before 0.9.5, as used in Google Chrome before 7.0.517.44, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via invalid frames.
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 9.8
CVSS v4 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4203

LAYER: meta-oe
PACKAGE NAME: libvpx
PACKAGE VERSION: 1.14.1
CVE: CVE-2012-0823
CVE STATUS: Patched
CVE SUMMARY: VP8 Codec SDK (libvpx) before 1.0.0 "Duclair" allows remote attackers to cause a denial of service (application crash) via (1) unspecified "corrupt input" or (2) by "starting decoding from a P-frame," which triggers an out-of-bounds read, related to "the clamping of motion vectors in SPLITMV blocks".
CVSS v2 BASE SCORE: 5.0
CVSS v3 BASE SCORE: 0.0
CVSS v4 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0823

LAYER: meta-oe
PACKAGE NAME: libvpx
PACKAGE VERSION: 1.14.1
CVE: CVE-2023-44488
CVE STATUS: Patched
CVE SUMMARY: VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
CVSS v4 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-44488

LAYER: meta-oe
PACKAGE NAME: libvpx
PACKAGE VERSION: 1.14.1
CVE: CVE-2023-5217
CVE STATUS: Patched
CVE SUMMARY: Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 8.8
CVSS v4 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5217

LAYER: meta-oe
PACKAGE NAME: libvpx
PACKAGE VERSION: 1.14.1
CVE: CVE-2023-6349
CVE STATUS: Patched
CVE SUMMARY: A heap overflow vulnerability exists in libvpx - Encoding a frame that has larger dimensions than the originally configured size with VP9 may result in a heap overflow in libvpx.
We recommend upgrading to version 1.13.1 or above
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.5
CVSS v4 BASE SCORE: 5.7
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6349

LAYER: meta-oe
PACKAGE NAME: libvpx
PACKAGE VERSION: 1.14.1
CVE: CVE-2024-5197
CVE STATUS: Patched
CVE SUMMARY: There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 9.1
CVSS v4 BASE SCORE: 5.9
VECTOR: NETWORK
VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-5197