195700 2007-10-13 13:42 0000 media-libs/flac < 1.2.1 Media File Processing Integer Overflow Vulnerabilities (CVE-2007-4619) 2008-01-10 09:00:58 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/27210/ B2 [glsa] P2 normal --- 190900 191277 191278 191283 191286 191292 1 keytoaster@gentoo.org security@gentoo.org mips@gentoo.org sound@gentoo.org keytoaster@gentoo.org 2007-10-13 13:42:04 0000 Some vulnerabilities have been reported in FLAC, which can be exploited by malicious people to compromise a user's system. The vulnerabilities are caused due to integer overflow errors in various components when processing FLAC media files and can be exploited to cause heap-based buffer overflows via specially-crafted FLAC media files. Successful exploitation allows execution of arbitrary code. The vulnerabilities are reported in version 1.2.0. Prior versions and other applications using the vulnerable library may also be affected. Solution: Update to version 1.2.1. keytoaster@gentoo.org 2007-10-13 13:53:35 0000 Sound, please check whether our latest stable version is also affected. rbu@gentoo.org 2007-10-17 01:29:26 0000 sound, assuming our current stable is also vulnerable, how do we proceed? Is 1.2.1* ok to go stable or should we try to fix to 1.1.X ? ssuominen@gentoo.org 2007-10-21 06:08:14 0000 We are stabilizing 1.2.1 but because it has a TEXT RELOCATION patch from PaX Team to go with I _strongly_ advice _every_ arch team to test both encoding and decoding properly. This version is API/ABI compatible with 1.1.4 which was going stable anyway so you _need_ to do bugs depending on this bug first, and yes, that means also _entire_ gstreamer with plugins. ssuominen@gentoo.org 2007-10-21 06:09:06 0000 *** Bug 191280 has been marked as a duplicate of this bug. *** ssuominen@gentoo.org 2007-10-21 06:16:04 0000 Should have mention, it's media-libs/flac-1.2.1-r1 maekke@gentoo.org 2007-10-21 16:10:52 0000 x86 stable beandog@gentoo.org 2007-10-21 19:43:00 0000 amd64 stable jer@gentoo.org 2007-10-22 05:39:21 0000 Why was RESTRICT=test added? jer@gentoo.org 2007-10-22 13:59:07 0000 Stable for HPPA and SPARC. beandog@gentoo.org 2007-10-22 14:23:45 0000 (In reply to comment #8) > Why was RESTRICT=test added? > Temporary measure, drac is gonna find the problems and report upstream. ssuominen@gentoo.org 2007-10-22 17:44:10 0000 Sparc is not stable because reverse dependencies (which this bug depends on) aren't resolved yet. 20:27 <+CIA-29> jer * gentoo-x86/media-libs/flac/ (ChangeLog flac-1.2.1-r1.ebuild): 20:27 <+CIA-29> Reverting sparc stabilisation due to reverse dependencies I cannot test. armin76@gentoo.org 2007-10-22 20:25:10 0000 alpha/ia64 stable, thanks Tobias corsair@gentoo.org 2007-10-23 16:11:36 0000 ppc64 stable dertobi123@gentoo.org 2007-10-24 17:36:41 0000 ppc stable armin76@gentoo.org 2007-11-01 19:07:04 0000 sparc stable, this is ready for glsa rbu@gentoo.org 2007-11-01 19:12:29 0000 request filed. py@gentoo.org 2007-11-12 21:48:13 0000 GLSA 200711-15