634598 – (CVE-2017-15045, CVE-2017-15046) <media-sound/lame-3.100: malformed mp3 input causes buffer overflow and heap over-read (CVE-2017-{15045,15046})

Bug 634598 (CVE-2017-15045, CVE-2017-15046) - <media-sound/lame-3.100: malformed mp3 input causes buffer overflow and heap over-read (CVE-2017-{15045,15046})

Summary: <media-sound/lame-3.100: malformed mp3 input causes buffer overflow and heap ...

Status:	RESOLVED FIXED

Alias:	CVE-2017-15045, CVE-2017-15046

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://bugzilla.opensuse.org/show_bu...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:	635014
Blocks:	622936 635380
	Show dependency tree

Reported:	2017-10-18 01:23 UTC by Aleksandr Wagner (Kivak)
Modified:	2018-03-23 23:56 UTC (History)
CC List:	4 users (show)

See Also:
Package list:	=media-sound/lame-3.100-r1
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aleksandr Wagner (Kivak) 2017-10-18 01:23:12 UTC

CVE-2017-15045 (https://nvd.nist.gov/vuln/detail/CVE-2017-15045):

LAME 3.99.5 has a heap-based buffer over-read in fill_buffer in libmp3lame/util.c, related to lame_encode_buffer_sample_t in libmp3lame/lame.c, a different vulnerability than CVE-2017-9410.

References:

https://sourceforge.net/p/lame/bugs/478/

CVE-2017-15046 (https://nvd.nist.gov/vuln/detail/CVE-2017-15046):

LAME 3.99.5 has a stack-based buffer overflow in unpack_read_samples in frontend/get_audio.c, a different vulnerability than CVE-2017-9412.

References:

https://sourceforge.net/p/lame/bugs/479/

Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2017-10-18 06:28:39 UTC

commit cac3017eed6bec4140ba2dec99d67365bb1da66f (HEAD -> master, origin/master, origin/HEAD)
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed Oct 18 08:26:42 2017

    media-sound/lame: Security bump to version 3.100 (bug #634598).

    Package-Manager: Portage-2.3.11, Repoman-2.3.3


I'd prefer to give this version some testing in ~arch first given that this is the first new release in years from that project...

Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2017-10-25 07:19:41 UTC

Arches please test and mark stable =media-sound/lame-3.100 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris

Comment 3 Agostino Sarubbo gentoo-dev

2017-10-25 09:32:09 UTC

amd64 stable

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2017-10-26 17:38:54 UTC

x86 stable

Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev

2017-10-26 19:13:26 UTC

hppa stable

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2017-10-26 21:33:04 UTC

ia64 stable

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2017-10-26 21:47:50 UTC

ppc stable

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2017-10-28 22:23:02 UTC

ppc64 stable

Comment 9 Tobias Klausmann (RETIRED) gentoo-dev

2017-11-08 12:52:55 UTC

Stable on alpha.

Comment 10 Aleksandr Wagner (Kivak) 2017-11-08 17:20:12 UTC

@ Maintainer(s): Stabilization is complete, please clean the vulnerable
versions from the tree.

Comment 11 Markus Meier gentoo-dev

2017-11-19 15:09:49 UTC

arm stable

Comment 12 Rolf Eike Beer archtester

2017-11-23 16:57:25 UTC

Builds fine on sparc, but how to test?

Comment 13 Aaron Bauman (RETIRED) gentoo-dev

2018-01-15 16:08:17 UTC

sparc is an unstable arch.

@sound, please clean or mask the vulnerable version.

Comment 14 Rolf Eike Beer archtester

2018-01-15 16:55:09 UTC

I have no sound hw in my sparc, the day I know how to sanely test this without I can mark it stable.

Comment 15 Mart Raudsepp gentoo-dev

2018-03-15 03:02:24 UTC

lame is an encoder, not decoder. So I guess you can just convert a wav into mp3 with lame on sparc and then grab that mp3 and see if playback of that file is good enough on a sound capable system or something.

Comment 16 Christopher Díaz Riveros (RETIRED) gentoo-dev

2018-03-15 21:40:39 UTC

GLSA Vote: No.

@Maintainers please clean vulnerable versions.

(In reply to Rolf Eike Beer from comment #14)
> I have no sound hw in my sparc, the day I know how to sanely test this
> without I can mark it stable.

Rolf, hopefully with Mart's comment (#15) you'll be able to test lame, but security supported arches are done since 2017-11, we need to move on with this report.

Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev

2018-03-17 13:16:20 UTC

sparc stable

Comment 18 Aaron Bauman (RETIRED) gentoo-dev

2018-03-23 23:56:04 UTC

tree is clean.