CVE-2017-12678 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12678): In TagLib 1.11.1, the rebuildAggregateFrames function in id3v2framefactory.cpp has a pointer to cast vulnerability, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted audio file. References: https://github.com/taglib/taglib/issues/829 https://github.com/taglib/taglib/pull/831 Patch: https://github.com/taglib/taglib/pull/831/commits/eb9ded1206f18f2c319157337edea2533a40bea6#diff-37f706c8696a7c1ca939b169c0a04d97
Thanks, fix pushed in git commit 96280e607739038a6f0ed6778fb3f01b82a5f534
Feel free to kick off stabilisation.
@ Arches, please test and mark stable: =media-libs/taglib-1.11.1-r1
ia64 stable
arm stable
amd64 stable
x86 stable
alpha stable
sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
ppc64 stable
ppc stable
hppa/sparc stable (thanks to Rolf Eike Beer)
GLSA Vote: No @maintainers, please clean.
Vulnerable versions dropped in git commit d68e6c03460539eb97f782bfb46fa894d843841d
Thank you all