627316 – (CVE-2017-11661, CVE-2017-11662, CVE-2017-11663, CVE-2017-11664) <media-sound/wildmidi-0.3.13: Multiple vulnerabilities

Bug 627316 (CVE-2017-11661, CVE-2017-11662, CVE-2017-11663, CVE-2017-11664) - <media-sound/wildmidi-0.3.13: Multiple vulnerabilities

Summary: <media-sound/wildmidi-0.3.13: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2017-11661, CVE-2017-11662, CVE-2017-11663, CVE-2017-11664

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B3 [noglsa cve]
Keywords:

Duplicates (1):	635550 (view as bug list)
Depends on:
Blocks:

Reported:	2017-08-08 12:43 UTC by Agostino Sarubbo
Modified:	2018-11-25 01:01 UTC (History)
CC List:	3 users (show)

See Also:
Package list:	media-sound/wildmidi-0.3.13
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2017-08-08 12:43:38 UTC

From ${URL} :

CVE-2017-11661

the _WM_SetupMidiEvent function in internal_midi.c:2318 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

CVE-2017-11662

the _WM_ParseNewMidi function in f_midi.c in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

CVE-2017-11663

the _WM_SetupMidiEvent function in internal_midi.c:2315 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

CVE-2017-11664

the _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

Upstream patch:

https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd

References:

http://seclists.org/fulldisclosure/2017/Aug/12


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-10-27 01:29:25 UTC

*** Bug 635550 has been marked as a duplicate of this bug. ***

Comment 2 Larry the Git Cow gentoo-dev

2018-08-22 21:06:49 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7a6ad87c72f74317c6412384cfccd9dc2c085e4

commit e7a6ad87c72f74317c6412384cfccd9dc2c085e4
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-08-22 21:05:27 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-08-22 21:06:37 +0000

    media-sound/wildmidi: 0.3.13 version bump, multiple security fixes
    
    CVE-2017-11661, CVE-2017-11662, CVE-2017-11663, CVE-2017-11664
    
    Bug: https://bugs.gentoo.org/627316
    Package-Manager: Portage-2.3.48, Repoman-2.3.10

 media-sound/wildmidi/Manifest               |  1 +
 media-sound/wildmidi/wildmidi-0.3.13.ebuild | 75 +++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+)

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2018-08-24 01:41:56 UTC

x86 stable

Comment 4 Mikle Kolyada (RETIRED) archtester

2018-08-24 03:39:29 UTC

amd64 stable

Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev

2018-08-26 18:54:16 UTC

ppc stable

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2018-08-26 18:56:08 UTC

ppc64 stable

Comment 7 Markus Meier gentoo-dev

2018-09-19 16:58:19 UTC

arm stable, all arches done.

Comment 8 Larry the Git Cow gentoo-dev

2018-09-30 15:39:16 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78dc4b326a317b0dbada8261be2ce45016ded02f

commit 78dc4b326a317b0dbada8261be2ce45016ded02f
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-09-20 10:16:23 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-09-30 15:39:00 +0000

    media-sound/wildmidi: Security cleanup
    
    Bug: https://bugs.gentoo.org/627316
    Package-Manager: Portage-2.3.49, Repoman-2.3.10
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-sound/wildmidi/Manifest                |  4 --
 media-sound/wildmidi/wildmidi-0.2.3.5.ebuild | 43 -----------------
 media-sound/wildmidi/wildmidi-0.3.6.ebuild   | 70 ----------------------------
 media-sound/wildmidi/wildmidi-0.3.7.ebuild   | 68 ---------------------------
 media-sound/wildmidi/wildmidi-0.3.8.ebuild   | 70 ----------------------------
 5 files changed, 255 deletions(-)