596422 – (CVE-2016-7969, CVE-2016-7970, CVE-2016-7971, CVE-2016-7972) <media-libs/libass-0.13.6: multiple vulnerabilities (CVE-2016-{7969,7970,7971,7972})

Bug 596422 (CVE-2016-7969, CVE-2016-7970, CVE-2016-7971, CVE-2016-7972) - <media-libs/libass-0.13.6: multiple vulnerabilities (CVE-2016-{7969,7970,7971,7972})

Summary: <media-libs/libass-0.13.6: multiple vulnerabilities (CVE-2016-{7969,7970,7971...

Status:	RESOLVED FIXED

Alias:	CVE-2016-7969, CVE-2016-7970, CVE-2016-7971, CVE-2016-7972

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B2 [glsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2016-10-07 10:21 UTC by Agostino Sarubbo
Modified:	2017-06-05 21:39 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	=media-libs/libass-0.13.6
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2016-10-07 10:21:11 UTC

From ${URL} :

The open source libass library is used to read and render subtitles onto images or frames of a movie. It is a popular library used in a few well-known media players. It seems it is usually shipped statically? Not sure.

https://github.com/libass/libass <https://github.com/libass/libass>

Attached are 4 test cases and their asan/valgrind results tested against version 0.13.3. 

One is in wrap_lines_smart() (https://github.com/libass/libass/pull/240/commits/b72b283b936a600c730e00875d7d067bded3fc26 <https://github.com/libass/libass/pull/240/commits/b72b283b936a600c730e00875d7d067bded3fc26>).

One is coeff_blur121() (https://github.com/libass/libass/pull/240/commits/08e754612019ed84d1db0d1fc4f5798248decd75 <https://github.com/libass/libass/pull/240/commits/08e754612019ed84d1db0d1fc4f5798248decd75>).

The third is a huge memory allocation leading to a crash that wasn’t fixed because a good solution is unavailable at the moment.

The fourth is in check_allocations() (https://github.com/libass/libass/pull/240/commits/aa54e0b59200a994d50a346b5d7ac818ebcf2d4b <https://github.com/libass/libass/pull/240/commits/aa54e0b59200a994d50a346b5d7ac818ebcf2d4b>).

These should be fixed in the 0.13.4 release, but are fixed currently on master. Thanks to the libass team for the quick turnaround. 



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Alexis Ballier gentoo-dev

2016-10-10 10:22:20 UTC

commit 442752b75dce0d135e2039b7e3d0eb231f95752f
Author: Alexis Ballier <aballier@gentoo.org>
Date:   Mon Oct 10 12:21:52 2016 +0200

    media-libs/libass: bump to 0.13.4, bug #596422
    


should be ok for stabilization

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-09 23:41:38 UTC

@ Maintainer(s): We missed comment #1. Newer versions are now in repository, can we stabilize =media-libs/libass-0.13.6 instead?

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-19 23:04:16 UTC

@ Arches,

please test and mark stable: =media-libs/libass-0.13.6

Comment 4 Agostino Sarubbo gentoo-dev

2017-01-20 09:27:21 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2017-01-20 09:47:58 UTC

x86 stable

Comment 6 Agostino Sarubbo gentoo-dev

2017-01-20 11:08:02 UTC

ppc64 stable

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2017-01-21 11:38:47 UTC

Stable for HPPA.

Comment 8 Tobias Klausmann (RETIRED) gentoo-dev

2017-01-21 11:44:21 UTC

Stable on alpha.

Comment 9 Agostino Sarubbo gentoo-dev

2017-01-21 20:33:54 UTC

ppc stable

Comment 10 Agostino Sarubbo gentoo-dev

2017-01-22 16:28:52 UTC

sparc stable

Comment 11 Agostino Sarubbo gentoo-dev

2017-01-23 16:28:06 UTC

ia64 stable

Comment 12 Markus Meier gentoo-dev

2017-02-05 16:59:58 UTC

arm stable, all arches done.

Comment 13 Aaron Bauman (RETIRED) gentoo-dev

2017-02-05 23:35:45 UTC

GLSA request filed

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2017-02-21 00:02:11 UTC

This issue was resolved and addressed in
 GLSA 201702-25 at https://security.gentoo.org/glsa/201702-25
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev

2017-02-21 00:03:27 UTC

Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop <media-libs/libass-0.13.4!

Comment 16 Yury German Gentoo Infrastructure

2017-05-26 23:54:12 UTC

Maintainer(s), please drop the vulnerable version(s).

Comment 17 Tim Harder gentoo-dev

2017-06-05 21:26:38 UTC

They're now gone from the tree.

Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-05 21:39:25 UTC

@ Maintainer(s): Thank you for your work!