Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 819633 - <dev-java/openjfx-11.0.11_p1: OOB read in bundled gstreamer
Summary: <dev-java/openjfx-11.0.11_p1: OOB read in bundled gstreamer
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://openjdk.java.net/groups/vulne...
Whiteboard: ~4 [cleanup]
Keywords:
Depends on:
Blocks: CVE-2021-3522
  Show dependency tree
 
Reported: 2021-10-23 12:31 UTC by John Helmert III
Modified: 2021-11-18 04:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-23 12:31:32 UTC 
CVE-2021-3522:

GStreamer before 1.18.4 may perform an out-of-bounds read when handling certain ID3v2 tags.

This vulnerability is listed at URL and openjfx doesn't depend on an
external gstreamer, does this affect our openjfx?
Comment 1 Larry the Git Cow gentoo-dev 2021-11-18 04:49:28 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e18fbd00f235dd87479fde7ea039a6b8339f8f6a

commit e18fbd00f235dd87479fde7ea039a6b8339f8f6a
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-11-18 04:48:45 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-11-18 04:48:45 +0000

    dev-java/openjfx: add gstreamer CVE-2021-3522 fix
    
    Bug: https://bugs.gentoo.org/819633
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 .../openjfx/files/11/gstreamer-CVE-2021-3522.patch | 31 ++++++++++++++++++++++
 dev-java/openjfx/openjfx-11.0.11_p1.ebuild         |  1 +
 2 files changed, 32 insertions(+)
Comment 2 Georgy Yakovlev archtester gentoo-dev 2021-11-18 04:50:13 UTC 
yes, this file is bundled with openjfx

I've added CVE patch in openjfx-11.0.11

will cleanup old versions sometime soon
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-11-18 04:57:03 UTC 
~arch only so changing severity.

Thanks!