Summary: | media-plugins/gst-plugins-speex <0.10.7-r1 speex implementations insufficient boundary checks | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthias Geerdsen (RETIRED) <vorlon> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED WONTFIX | ||
Severity: | normal | CC: | media-video, ssuominen, zaheerm |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 217715 | ||
Bug Blocks: |
Description
Matthias Geerdsen (RETIRED)
2008-04-14 09:42:00 UTC
patch is available: http://webcvs.freedesktop.org/gstreamer/gst-plugins-good/ext/speex/gstspeexdec.c?r1=1.40&r2=1.41 I wonder how this affects media-plugins/gst-plugins-speex +*gst-plugins-speex-0.10.7-r1 (14 Apr 2008) + + 14 Apr 2008; Samuli Suominen <drac@gentoo.org> + +files/gst-plugins-speex-0.10.7-sec.patch, + +gst-plugins-speex-0.10.7-r1.ebuild: + Fix for security #217609. gst-plugins-speex is a "gentoo split" from -good, so that's where it should be patched and for arches, http://samples.mplayerhq.hu/A-codecs/speex/talk109-q5.spx, a sample file Arch Security Liaisons, please test and mark stable: =media-plugins/gst-plugins-speex-0.10.7-r1 Target keywords : "ppc ppc64 release sparc" CC'ing current Liaisons: ppc : dertobi123 ppc64 : corsair release : pva sparc : fmccor ppc64 stable corsair, fmccor, and others. because this needs gstreamer 0.10.17, make sure you stable also newer version of gst-plugins-ugly, 0.10.6-r1 or newer is OK. this is to avoid blockers, repoman won't reveal this. Sparc stable for gst-plugins-speex <0.10.7-r1. This requires also sparc stable for: gstreamer-0.10.7 gst-plugins-base-0.10.7 gst-plugins-ugly-10.6-r1 All done. now public via http://www.ocert.org/advisories/ocert-2008-004.html This will be fixed with the speex update in bug 217715, keeping open until the GLSA has been released. speex has been sent as GLSA 200804-17, this also fixes this bug. |