Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 195700

Summary: media-libs/flac < 1.2.1 Media File Processing Integer Overflow Vulnerabilities (CVE-2007-4619)
Product: Gentoo Security Reporter: Tobias Heinlein (RETIRED) <keytoaster>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: sound
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/27210/
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 190900, 191277, 191278, 191283, 191286, 191292    
Bug Blocks:    

Description Tobias Heinlein (RETIRED) gentoo-dev 2007-10-13 13:42:04 UTC 
Some vulnerabilities have been reported in FLAC, which can be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to integer overflow errors in various components when processing FLAC media files and can be exploited to cause heap-based buffer overflows via specially-crafted FLAC media files.

Successful exploitation allows execution of arbitrary code.

The vulnerabilities are reported in version 1.2.0. Prior versions and other applications using the vulnerable library may also be affected.

Solution:
Update to version 1.2.1.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2007-10-13 13:53:35 UTC 
Sound, please check whether our latest stable version is also affected.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-10-17 01:29:26 UTC 
sound, assuming our current stable is also vulnerable, how do we proceed?
Is 1.2.1* ok to go stable or should we try to fix to 1.1.X ?
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2007-10-21 06:08:14 UTC 
We are stabilizing 1.2.1 but because it has a TEXT RELOCATION patch from PaX Team to go with I _strongly_ advice _every_ arch team to test both encoding and decoding properly. This version is API/ABI compatible with 1.1.4 which was going stable anyway so you _need_ to do bugs depending on this bug first, and yes, that means also _entire_ gstreamer with plugins.
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2007-10-21 06:09:06 UTC 
*** Bug 191280 has been marked as a duplicate of this bug. ***
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2007-10-21 06:16:04 UTC 
Should have mention, it's media-libs/flac-1.2.1-r1
Comment 6 Markus Meier gentoo-dev 2007-10-21 16:10:52 UTC 
x86 stable
Comment 7 Steve Dibb (RETIRED) gentoo-dev 2007-10-21 19:43:00 UTC 
amd64 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2007-10-22 05:39:21 UTC 
Why was RESTRICT=test added?
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2007-10-22 13:59:07 UTC 
Stable for HPPA and SPARC.
Comment 10 Steve Dibb (RETIRED) gentoo-dev 2007-10-22 14:23:45 UTC 
(In reply to comment #8)
> Why was RESTRICT=test added?
> 

Temporary measure, drac is gonna find the problems and report upstream.
Comment 11 Samuli Suominen (RETIRED) gentoo-dev 2007-10-22 17:44:10 UTC 
Sparc is not stable because reverse dependencies (which this bug depends on) aren't resolved yet.

20:27 <+CIA-29> jer * gentoo-x86/media-libs/flac/ (ChangeLog flac-1.2.1-r1.ebuild): 
20:27 <+CIA-29> Reverting sparc stabilisation due to reverse dependencies I cannot test.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2007-10-22 20:25:10 UTC 
alpha/ia64 stable, thanks Tobias
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2007-10-23 16:11:36 UTC 
ppc64 stable
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-24 17:36:41 UTC 
ppc stable
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2007-11-01 19:07:04 UTC 
sparc stable, this is ready for glsa
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2007-11-01 19:12:29 UTC 
request filed.
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-12 21:48:13 UTC 
GLSA 200711-15