Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 618022 (CVE-2017-8372, CVE-2017-8373, CVE-2017-8374) - <media-libs/libmad-0.15.1b-r9: multiple vulnerabilities (CVE-2017-{8372,8373,8374})
Summary: <media-libs/libmad-0.15.1b-r9: multiple vulnerabilities (CVE-2017-{8372,8373,...
Status: RESOLVED FIXED
Alias: CVE-2017-8372, CVE-2017-8373, CVE-2017-8374
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-09 18:31 UTC by Agostino Sarubbo
Modified: 2018-11-25 04:17 UTC (History)
2 users (show)

See Also:
Package list:
media-libs/libmad-0.15.1b-r9
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-04 23:21:26 UTC 
Debian seems to use patch https://sources.debian.net/src/libmad/0.15.1b-8/debian/patches/frame_length.diff/ for all the reported vulnerabilities.
Comment 2 Larry the Git Cow gentoo-dev 2018-10-03 21:11:42 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a877b25c4d29e1e60df8af384725e83c093fa734

commit a877b25c4d29e1e60df8af384725e83c093fa734
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-10-03 20:48:42 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-10-03 21:11:27 +0000

    media-libs/libmad: Fix vulnerabilities, EAPI-7 bump
    
    Debian does it, so let's use it too.
    
    Bug: https://bugs.gentoo.org/618022
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>
    Package-Manager: Portage-2.3.50, Repoman-2.3.11

 ...CVE-2017-8372_CVE-2017-8373_CVE-2017-8374.patch | 197 +++++++++++++++++++++
 media-libs/libmad/libmad-0.15.1b-r9.ebuild         |  80 +++++++++
 2 files changed, 277 insertions(+)
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-04 23:12:42 UTC 
ia64 stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2018-10-05 04:52:02 UTC 
x86 stable
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-10-05 08:50:10 UTC 
amd64 stable
Comment 6 Matt Turner gentoo-dev 2018-10-06 16:15:18 UTC 
ppc/ppc64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-06 22:31:55 UTC 
hppa stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2018-10-13 06:59:19 UTC 
Stable on alpha.
Comment 9 Markus Meier gentoo-dev 2018-10-29 05:37:20 UTC 
arm stable
Comment 10 Larry the Git Cow gentoo-dev 2018-11-04 22:51:01 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e128741cd6e2f3e753c76a2d0b69847044686a7b

commit e128741cd6e2f3e753c76a2d0b69847044686a7b
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-11-04 22:49:51 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-11-04 22:50:43 +0000

    media-libs/libmad: Security cleanup
    
    Bug: https://bugs.gentoo.org/618022
    Package-Manager: Portage-2.3.51, Repoman-2.3.12
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/libmad/libmad-0.15.1b-r8.ebuild | 76 ------------------------------
 1 file changed, 76 deletions(-)
Comment 11 Rolf Eike Beer archtester 2018-11-08 23:03:41 UTC 
sparc stable
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2018-11-25 04:17:00 UTC 
tree is clean.