Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 628190 (CVE-2017-12920, CVE-2017-12921, CVE-2017-12925) - <media-libs/libfpx-1.3.1_p10: multiple vulnerabilities (CVE-2017-{12920,12921,12925})
Summary: <media-libs/libfpx-1.3.1_p10: multiple vulnerabilities (CVE-2017-{12920,12921...
Status: RESOLVED FIXED
Alias: CVE-2017-12920, CVE-2017-12921, CVE-2017-12925
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve cleanup]
Keywords: STABLEREQ
Depends on:
Blocks:
 
Reported: 2017-08-18 15:03 UTC by Agostino Sarubbo
Modified: 2018-06-21 19:21 UTC (History)
1 user (show)

See Also:
Package list:
=media-libs/libfpx-1.3.1_p10
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Agostino Sarubbo gentoo-dev 2017-10-12 14:59:48 UTC
libfpx-1.3.1-10.tar.xz is available here: https://www.imagemagick.org/download/delegates/

It contains the fixes pushed by Niclas Rosenvik.
Please bump
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-10-12 21:03:40 UTC
CVE-2017-12920 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12920):
  CDirectory::GetDirEntry in dir.cxx in libfpx 1.3.1_p6 allows remote
  attackers to cause a denial of service (NULL pointer dereference) via a
  crafted fpx image.

CVE-2017-12921 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12921):
  PFileFlashPixView::GetGlobalInfoProperty in f_fpxvw.cpp in libfpx 1.3.1_p6
  allows remote attackers to cause a denial of service (NULL pointer
  dereference) via a crafted fpx image.

CVE-2017-12925 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12925):
  Double free vulnerability in DfFromLB in docfile.cxx in libfpx 1.3.1_p6
  allows remote attackers to cause a denial of service via a crafted fpx
  image.
Comment 3 Larry the Git Cow gentoo-dev 2017-10-12 21:19:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=54550720b42f8a4bb3adaf6727ce8a47c5ed7892

commit 54550720b42f8a4bb3adaf6727ce8a47c5ed7892
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2017-10-12 21:08:16 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2017-10-12 21:18:50 +0000

    media-libs/libfpx: Bump to v1.3.1_p10 (CVE-2017-{12920,12921,12925})
    
    Bug: https://bugs.gentoo.org/628190
    Package-Manager: Portage-2.3.10, Repoman-2.3.3

 media-libs/libfpx/Manifest                |  1 +
 media-libs/libfpx/libfpx-1.3.1_p10.ebuild | 45 +++++++++++++++++++++++++++++++
 media-libs/libfpx/metadata.xml            |  3 +++
 3 files changed, 49 insertions(+)}
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-12 21:21:51 UTC
@ Arches,

please test and mark stable: =media-libs/libfpx-1.3.1_p10
Comment 5 Stabilization helper bot gentoo-dev 2017-10-12 22:00:57 UTC
An automated check of this bug failed - the following atom is unknown:

media-libs/libfpx-1.3.1_p10

Please verify the atom list.
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-13 09:10:41 UTC
ia64 stable
Comment 7 Stabilization helper bot gentoo-dev 2017-10-13 10:01:00 UTC
An automated check of this bug failed - the following atom is unknown:

media-libs/libfpx-1.3.1_p10

Please verify the atom list.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-13 15:06:30 UTC
x86 stable
Comment 9 Stabilization helper bot gentoo-dev 2017-10-13 16:00:41 UTC
An automated check of this bug failed - the following atom is unknown:

media-libs/libfpx-1.3.1_p10

Please verify the atom list.
Comment 10 Manuel Rüger (RETIRED) gentoo-dev 2017-10-15 22:22:12 UTC
Stable on amd64
Comment 11 Stabilization helper bot gentoo-dev 2017-10-15 23:01:52 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-16 08:28:44 UTC
ppc64 stable
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-16 08:29:09 UTC
ppc stable
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-16 19:50:57 UTC
hppa stable
Comment 15 Tobias Klausmann (RETIRED) gentoo-dev 2017-10-22 21:49:45 UTC
Stable on alpha.
Comment 16 Markus Meier gentoo-dev 2017-10-24 17:37:11 UTC
arm stable, all arches done.
Comment 17 Aleksandr Wagner (Kivak) 2017-10-24 19:02:45 UTC
Thank you arches.

@ Maintainer(s): Please clean vulnerable version from tree.

@ Security: Please vote on glsa.
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2017-10-25 00:37:10 UTC
GLSA Vote: No
Comment 19 Michael Boyle 2018-06-18 01:09:16 UTC
@maintainer(s), please drop vulnerable.

Michael Boyle
Security Padawan
Comment 20 Aaron Bauman (RETIRED) gentoo-dev 2018-06-20 00:50:30 UTC
giving sparc a chance...
Comment 21 Larry the Git Cow gentoo-dev 2018-06-21 19:21:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ae2a50d7297299eafe28191e577885d22cfacea

commit 5ae2a50d7297299eafe28191e577885d22cfacea
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-06-21 16:47:38 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-21 19:21:01 +0000

    media-libs/libfpx: stable 1.3.1_p10 for sparc
    
    Bug: https://bugs.gentoo.org/628190
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="sparc"

 media-libs/libfpx/libfpx-1.3.1_p10.ebuild | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)