Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 636876 (CVE-2017-16663) - <media-gfx/sam2p-0.49.4_p20190718: Integer overflow vulnerability (CVE-2017-16663)
Summary: <media-gfx/sam2p-0.49.4_p20190718: Integer overflow vulnerability (CVE-2017-1...
Status: RESOLVED FIXED
Alias: CVE-2017-16663
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/pts/sam2p/issues/16
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-14628, CVE-2017-14629, CVE-2017-14630, CVE-2017-14631, CVE-2017-14636, CVE-2017-14637 CVE-2018-7487, CVE-2018-7551, CVE-2018-7552, CVE-2018-7553, CVE-2018-7554
  Show dependency tree
 
Reported: 2017-11-08 16:46 UTC by GLSAMaker/CVETool Bot
Modified: 2020-11-11 00:26 UTC (History)
1 user (show)

See Also:
Package list:
media-gfx/sam2p-0.49.4_p20190718-r1
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-08 16:46:54 UTC 
CVE-2017-16663 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16663):
  In sam2p 0.49.4, there are integer overflows (with resultant heap-based
  buffer overflows) in input-bmp.ci in the function ReadImage, because "width
  * height" multiplications occur unsafely.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-08 16:49:25 UTC 
@Maintainers keep in mind bug 631636, after the bump please call for stabilization when ready.

Thank you
Comment 2 D'juan McDonald (domhnall) 2017-11-13 22:59:10 UTC 
Upstream Patch: https://github.com/pts/sam2p/commit/b3dd8209cc98673d682e82971bf822568f8efa27

Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 3 Larry the Git Cow gentoo-dev 2020-10-04 17:09:27 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=173810552f074b83f9d0bdee1e50e5691904b9d9

commit 173810552f074b83f9d0bdee1e50e5691904b9d9
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-10-04 17:09:13 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2020-10-04 17:09:13 +0000

    media-gfx/sam2p: Security bump
    
    Bug: https://bugs.gentoo.org/631636
    Bug: https://bugs.gentoo.org/636876
    Bug: https://bugs.gentoo.org/649750
    Package-Manager: Portage-2.3.101, Repoman-2.3.22
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/16286
    Signed-off-by: David Seifert <soap@gentoo.org>

 media-gfx/sam2p/Manifest                          |  1 +
 media-gfx/sam2p/files/sam2p-configure-strip.patch | 30 +++++++++++
 media-gfx/sam2p/sam2p-0.49.4_p20190718.ebuild     | 62 +++++++++++++++++++++++
 3 files changed, 93 insertions(+)
Comment 4 NATTkA bot gentoo-dev 2020-10-10 05:08:42 UTC 
Unable to check for sanity:

> no match for package: media-gfx/sam2p-0.49.4_p20190718
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-11 17:47:30 UTC 
arm done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-11 23:38:15 UTC 
sparc done
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-13 05:20:58 UTC 
tatt looks good for amd64.

USE tests started on Mon Oct 12 23:04:37 CDT 2020

FEATURES=' test' USE='' succeeded for =media-gfx/sam2p-0.49.4_p20190718-r1
USE='-examples -gif' succeeded for =media-gfx/sam2p-0.49.4_p20190718-r1
USE='examples -gif' succeeded for =media-gfx/sam2p-0.49.4_p20190718-r1
USE='-examples gif' succeeded for =media-gfx/sam2p-0.49.4_p20190718-r1
USE='examples gif' succeeded for =media-gfx/sam2p-0.49.4_p20190718-r1

revdep tests started on Mon Oct 12 23:10:33 CDT 2020

FEATURES=' test' USE='' succeeded for app-text/texlive
Comment 8 Agostino Sarubbo gentoo-dev 2020-10-13 09:27:06 UTC 
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-10-13 09:51:50 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-10-13 09:58:14 UTC 
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-10-13 10:01:52 UTC 
x86 stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2020-10-15 22:42:18 UTC 
hppa stable
Comment 13 Larry the Git Cow gentoo-dev 2020-11-11 00:25:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6eb198608ec3087deffd074ab6a8be044165051a

commit 6eb198608ec3087deffd074ab6a8be044165051a
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-10-16 01:12:57 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-11-11 00:25:33 +0000

    media-gfx/sam2p: drop 0.49.3 (security)
    
    Bug: https://bugs.gentoo.org/636876
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/17945
    Signed-off-by: Sam James <sam@gentoo.org>

 media-gfx/sam2p/Manifest                           |   1 -
 .../sam2p/files/sam2p-0.49.3-build-fixes.patch     | 160 ---------------------
 media-gfx/sam2p/files/sam2p-0.49.3-perl526.patch   |  23 ---
 media-gfx/sam2p/sam2p-0.49.3.ebuild                |  47 ------
 4 files changed, 231 deletions(-)