Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 603092

Summary: <media-libs/game-music-emu-0.6.1: Multiple issues due to incorrect emulation of the SPC700 audio co-processor of SNES
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: galtgendo, sound
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1405423
See Also: https://bugs.gentoo.org/show_bug.cgi?id=618346
Whiteboard: B2 [glsa cve]
Package list:
=media-libs/game-music-emu-0.6.1
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 620516    

Description Agostino Sarubbo gentoo-dev 2016-12-19 13:38:07 UTC 
From ${URL} :

Incorrect emulation of the SPC700 audio co-processor of the Super
Nintendo Entertainment System allows the execution of arbitrary code
if a malformed SPC music file is opened.

References:

http://scarybeastsecurity.blogspot.cz/2016/12/redux-compromising-linux-using-snes.html
http://seclists.org/oss-sec/2016/q4/682

CVE assignments:

http://seclists.org/oss-sec/2016/q4/692


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 00:04:07 UTC 
@ Maintainer(s): Please bump to >=media-libs/game-music-emu-0.6.1
Comment 2 Alexis Ballier gentoo-dev 2017-02-27 09:36:32 UTC 
*** Bug 611040 has been marked as a duplicate of this bug. ***
Comment 3 Alexis Ballier gentoo-dev 2017-02-27 09:39:23 UTC 
commit 146d393d3bea760ce75f424897db6798310eed2b
Author: Alexis Ballier <aballier@gentoo.org>
Date:   Mon Feb 27 10:38:45 2017 +0100

    media-libs/game-music-emu: Bump to 0.6.1, bug #603092


I think it can go stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2017-02-28 11:24:31 UTC 
Stable on alpha.
Comment 5 Markus Meier gentoo-dev 2017-02-28 17:30:54 UTC 
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-03-02 10:30:42 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-03-02 10:48:18 UTC 
x86 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-05 12:35:43 UTC 
Stable for HPPA PPC64.
Comment 9 Michael Weber (RETIRED) gentoo-dev 2017-03-08 22:12:53 UTC 
ppc stable, last arch.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2017-03-24 05:27:07 UTC 
Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2017-04-11 05:41:42 UTC 
Maintainer(s), please drop the vulnerable version(s).
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2017-04-30 12:33:18 UTC 
Maintainer(s), please drop the vulnerable version(s).
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2017-05-27 01:04:10 UTC 
Arches and Maintainer(s), Thank you for your work.
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-03 14:51:30 UTC 
Freeing aliases for tracker bug usage.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-07-08 12:32:37 UTC 
This issue was resolved and addressed in
 GLSA 201707-02 at https://security.gentoo.org/glsa/201707-02
by GLSA coordinator Thomas Deutschmann (whissi).