CVE-2020-0034

Published: 10 March 2020

In vp8_decode_frame of decodeframe.c, there is a possible out of bounds read due to improper input validation. This could lead to remote information disclosure if error correction were turned on, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1Android ID: A-62458770

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
libvpx
Launchpad, Ubuntu, Debian
Upstream
Released (1.7.0-3)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(1.8.2-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1.8.2-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1.7.0-3ubuntu0.18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: https://github.com/webmproject/libvpx/commit/45daecb4f73a47ab3236a29a3a48c52324cbf19a
Vendor: https://android.googlesource.com/platform/external/libvpx/+/30d0c20d0d04151530de62df3937de27c4f204fd