CVE-2017-12912 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12912): The "mpglibDBL/layer3.c" file in MP3Gain 1.5.2.r2 has a vulnerability which results in a read access violation when opening a crafted MP3 file. CVE-2017-12911 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12911): The "apetag.c" file in MP3Gain 1.5.2.r2 has a vulnerability which results in a stack memory corruption when opening a crafted MP3 file.
the latter is a write issue which I had a way to see.
Upstream fixed CVE-2017-12911 last month. It was a blocker for the 1.6.2 release. I'll ping them about CVE-2017-12912 soon as Sourceforge cooperates with me accessing my account.
[master ace29cb9d332] media-sound/mp3gain: Bump (#630954), fix CVE-2017-12911 (#635548) 3 files changed, 112 insertions(+) create mode 100644 media-sound/mp3gain/files/mp3gain-1.6.1-CVE-2017-12911.patch create mode 100644 media-sound/mp3gain/mp3gain-1.6.1.ebuild For the CVE-2017-12912 I couldn't find any fix :/ but I guess we can stabilize this version meantime
I am not sure if maybe clone this bug to cover the remaining security issue in the future :/ Anyway, for now we can stabilize 1.6.1
(In reply to Pacho Ramos from comment #4) > I am not sure if maybe clone this bug to cover the remaining security issue > in the future :/ > > Anyway, for now we can stabilize 1.6.1 I think we can proceed to stabilize and address the other CVE with another stable call in this bug.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5162ff386be42cbfaadbb0bfa40aa41308c5b4ae commit 5162ff386be42cbfaadbb0bfa40aa41308c5b4ae Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-21 23:18:27 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-21 23:18:27 +0000 media-sound/mp3gain: amd64 stable wrt bug #635548 Bug: https://bugs.gentoo.org/635548 Package-Manager: Portage-2.3.31, Repoman-2.3.9 media-sound/mp3gain/mp3gain-1.6.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
x86 stable
hppa stable
alpha stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c1fd2a3efff669160051b646a1bd48c419be2fdd commit c1fd2a3efff669160051b646a1bd48c419be2fdd Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-05-08 18:20:17 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-05-08 18:42:40 +0000 media-sound/mp3gain: stable 1.6.1 for sparc Bug: https://bugs.gentoo.org/635548 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" media-sound/mp3gain/mp3gain-1.6.1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
looks like ppc/ppc64 keywords were dropped. Moving on. GLSA Vote: No Tree is clean.
