Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 183145

Summary: media-libs/xvid <1.1.3 Avi/H263/MPEG array index vulnerability (CVE-2007-3329)
Product: Gentoo Security Reporter: Matt Drew (RETIRED) <aetius>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: dcecchin, gentoo, media-video, mr_bones_
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa+] aetius
Package list:
Runtime testing required: ---

Description Matt Drew (RETIRED) gentoo-dev 2007-06-25 13:52:26 UTC

The xvid library is vulnerable to some array indexing problems when processing Avi, H.263, or MPEG files.

As of 25 June there's no patch, it may be that the maintainers don't even know about this yet.
Comment 1 Matt Drew (RETIRED) gentoo-dev 2007-06-25 13:55:49 UTC
setting status.
Comment 2 Carsten Lohrke (RETIRED) gentoo-dev 2007-06-27 15:15:21 UTC
head is patched:
Comment 3 trefoil 2007-06-28 19:55:15 UTC
xvid-1.1.3 was released today w/this fix
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2007-06-30 23:58:46 UTC
*** Bug 183786 has been marked as a duplicate of this bug. ***
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2007-07-03 15:27:26 UTC
Bumped but temp. masked for testing. Security, don't do anything yet..

Applications in tree using xvid:


Reporting back here when it's tested and unmasked.
Comment 6 Samuli Suominen (RETIRED) gentoo-dev 2007-07-03 16:09:46 UTC
Text relocation from bug 135326 is still present at version 1.1.3 which is now unmasked, it's NOT a regression to current stable 1.1.0-r3. I've tested mplayer and ffmpeg with multiple video files and they are fine.

Proceed and let arch teams test[1] and stable it.

[1] Would be nice to have input from arch testers about other applications listed in this bug.
Comment 7 Matt Drew (RETIRED) gentoo-dev 2007-07-12 13:17:40 UTC
ok moving to stable.  Arches, please stabilize:


Sorry about the delay.
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-12 13:46:29 UTC
sparc stable.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2007-07-12 18:07:19 UTC
Stable for HPPA.
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2007-07-12 18:31:54 UTC
ppc64 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2007-07-12 21:18:34 UTC
alpha/x86 stable
Comment 12 Steve Dibb (RETIRED) gentoo-dev 2007-07-13 00:27:26 UTC
amd64 stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2007-07-13 13:47:59 UTC
ia64 stable, thanks drac for fixing this :)
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-15 21:17:26 UTC
ppc stable
Comment 15 Matt Drew (RETIRED) gentoo-dev 2007-07-30 10:37:45 UTC
arm folks, any progress?  I'm going ahead with the glsa-request on this, since we're already late.
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-30 11:28:00 UTC
arm is not security supported, and the glsa has already been drafted by Dercorny, you may review it, and others drafts too actually :)
Comment 17 Mr. Bones. (RETIRED) gentoo-dev 2007-07-31 21:49:18 UTC
xvid-1.0.3.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
xvid-1.1.0-r1.ebuild:KEYWORDS="alpha amd64 ~arm hppa ~ia64 ppc ppc64 sparc x86 ~x86-fbsd"
xvid-1.1.0-r3.ebuild:KEYWORDS="alpha amd64 arm ~hppa ia64 ~ppc ppc64 sparc x86 ~x86-fbsd"
xvid-1.1.3.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd"

Looks done to me except for ~mips at xvid-1.0.2
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-08 21:58:55 UTC
GLSA 200708-02, thanks everybody.