CVE-2016-7953 in libxvmc 1.0.9

Bug #1691532 reported by Joseph Yasi on 2017-05-17
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libxvmc (Ubuntu)

Bug Description

libxvmc 1.0.9 has an underflow vulnerability which is fixed in libxvmc 1.0.10.


CVE References

Joseph Yasi (joe-yasi) wrote :

The upstream fix is:

This patch is the only difference between 1.0.9 and 1.0.10.

Tyler Hicks (tyhicks) wrote :

Hi Joseph - thanks for the report. We are aware of this CVE and have triaged it in the Ubuntu CVE Tracker:

We have it rated as a 'low' which means that it will not be fixed in our stable Ubuntu releases unless there's a medium or higher issue found against libxvmc. This is to minimize regression risks for low impact security issues.

information type: Private Security → Public Security
Changed in libxvmc (Ubuntu):
status: New → Triaged
importance: Undecided → Low
Joseph Yasi (joe-yasi) wrote :

Is this going to get pulled into Artful? It's been in Debian since Dec 5, 2016. It made it into Debian 9.

Timo Aaltonen (tjaalton) wrote :

This bug was fixed in the package libxvmc - 2:1.0.10-1

libxvmc (2:1.0.10-1) unstable; urgency=medium

  [ Andreas Boll ]
  * New upstream release.
    - Fixes CVE-2016-7953 (Closes: #840445).
  * Update d/upstream/signing-key.asc with Matthieu Herrb's key.
  * Update a bunch of URLs in packaging to https.
  * Remove Drew from Uploaders.
  * Add placeholder comment into series file.

  [ Emilio Pozuelo Monfort ]
  * Bump debhelper compat to 10.
  * Switch from xsfbs to dh.
  * Drop unneeded libtool and automake build-deps, debhelper now depends
    on and calls dh-autoreconf for us.
  * Switch to -dbgsym packages.
  * Move XvMCConfig to its target directory with libxvmc1.install.
  * Bump Standards-Version to 3.9.8, no changes.

 -- Emilio Pozuelo Monfort <email address hidden> Mon, 05 Dec 2016 19:52:24 +0100

Changed in libxvmc (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers