217609 2008-04-14 09:42 0000 media-plugins/gst-plugins-speex <0.10.7-r1 speex implementations insufficient boundary checks 2008-04-17 12:17:29 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED WONTFIX B2 [] P2 normal --- 217715 1 vorlon@gentoo.org security@gentoo.org media-video@gentoo.org ssuominen@gentoo.org zaheerm@gentoo.org vorlon@gentoo.org 2008-04-14 09:42:00 0000 This bug is not public yet, please do not disclose any information. gst-plugins-good appears to include vulnerable speex code see http://www.ocert.org/advisories/ocert-2008-2.html as well as bug 216499 and bug 217373 for similar issues vorlon@gentoo.org 2008-04-14 09:48:12 0000 patch is available: http://webcvs.freedesktop.org/gstreamer/gst-plugins-good/ext/speex/gstspeexdec.c?r1=1.40&r2=1.41 rbu@gentoo.org 2008-04-14 16:03:25 0000 I wonder how this affects media-plugins/gst-plugins-speex ssuominen@gentoo.org 2008-04-14 17:08:34 0000 +*gst-plugins-speex-0.10.7-r1 (14 Apr 2008) + + 14 Apr 2008; Samuli Suominen <drac@gentoo.org> + +files/gst-plugins-speex-0.10.7-sec.patch, + +gst-plugins-speex-0.10.7-r1.ebuild: + Fix for security #217609. ssuominen@gentoo.org 2008-04-14 17:09:44 0000 gst-plugins-speex is a "gentoo split" from -good, so that's where it should be patched and for arches, http://samples.mplayerhq.hu/A-codecs/speex/talk109-q5.spx, a sample file rbu@gentoo.org 2008-04-14 17:26:54 0000 Arch Security Liaisons, please test and mark stable: =media-plugins/gst-plugins-speex-0.10.7-r1 Target keywords : "ppc ppc64 release sparc" CC'ing current Liaisons: ppc : dertobi123 ppc64 : corsair release : pva sparc : fmccor corsair@gentoo.org 2008-04-14 18:36:07 0000 ppc64 stable ssuominen@gentoo.org 2008-04-14 19:16:46 0000 corsair, fmccor, and others. because this needs gstreamer 0.10.17, make sure you stable also newer version of gst-plugins-ugly, 0.10.6-r1 or newer is OK. this is to avoid blockers, repoman won't reveal this. fmccor@gentoo.org 2008-04-14 19:46:07 0000 Sparc stable for gst-plugins-speex <0.10.7-r1. This requires also sparc stable for: gstreamer-0.10.7 gst-plugins-base-0.10.7 gst-plugins-ugly-10.6-r1 All done. vorlon@gentoo.org 2008-04-17 09:42:12 0000 now public via http://www.ocert.org/advisories/ocert-2008-004.html vorlon@gentoo.org 2008-04-17 10:19:11 0000 This will be fixed with the speex update in bug 217715, keeping open until the GLSA has been released. rbu@gentoo.org 2008-04-17 12:17:29 0000 speex has been sent as GLSA 200804-17, this also fixes this bug.