Bugzilla Bug 195700

Some vulnerabilities have been reported in FLAC, which can be exploited by
malicious people to compromise a user's system.

The vulnerabilities are caused due to integer overflow errors in various
components when processing FLAC media files and can be exploited to cause
heap-based buffer overflows via specially-crafted FLAC media files.

Successful exploitation allows execution of arbitrary code.

The vulnerabilities are reported in version 1.2.0. Prior versions and other
applications using the vulnerable library may also be affected.

Solution:
Update to version 1.2.1.

Sound, please check whether our latest stable version is also affected.

sound, assuming our current stable is also vulnerable, how do we proceed?
Is 1.2.1* ok to go stable or should we try to fix to 1.1.X ?

We are stabilizing 1.2.1 but because it has a TEXT RELOCATION patch from PaX
Team to go with I _strongly_ advice _every_ arch team to test both encoding and
decoding properly. This version is API/ABI compatible with 1.1.4 which was
going stable anyway so you _need_ to do bugs depending on this bug first, and
yes, that means also _entire_ gstreamer with plugins.

*** Bug 191280 has been marked as a duplicate of this bug. ***

Should have mention, it's media-libs/flac-1.2.1-r1

x86 stable

amd64 stable

Why was RESTRICT=test added?

Stable for HPPA and SPARC.

(In reply to comment #8)
> Why was RESTRICT=test added?
> 

Temporary measure, drac is gonna find the problems and report upstream.

Sparc is not stable because reverse dependencies (which this bug depends on)
aren't resolved yet.

20:27 <+CIA-29> jer * gentoo-x86/media-libs/flac/ (ChangeLog
flac-1.2.1-r1.ebuild): 
20:27 <+CIA-29> Reverting sparc stabilisation due to reverse dependencies I
cannot test.

alpha/ia64 stable, thanks Tobias

ppc64 stable

ppc stable

sparc stable, this is ready for glsa

request filed.

GLSA 200711-15