Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 407673

Summary: <media-libs/taglib-1.7-r1: Multiple Vulnerabilities Due to Improper Sanity Checks (CVE-2012-{1107,1108})
Product: Gentoo Security Reporter: Michael Harrison <n0idx80>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://mail.kde.org/pipermail/taglib-devel/2012-March/002186.html
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Michael Harrison 2012-03-10 12:58:50 UTC 
CVE-2012-1107
[1] A crafted ogg file with sampleRate as "0" leads to crash in the
application using taglib.

Upstream Commit:
https://github.com/taglib/taglib/commit/77d61c6eca4d08b9b025738acf6b926cc750db23

CVE-2012-1108
[2] "vendorLength" field modification in ogg tag parsing causes crash in
the application using taglib.

Upstream Commit:
https://github.com/taglib/taglib/commit/ab8a0ee8937256311e649a88e8ddd7c7f870ad59

References:
http://secunia.com/advisories/48211/
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2012-03-10 13:13:29 UTC 
taglib-1.7-r1 in Portage with the two commits backported
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2012-03-10 13:14:42 UTC 
Arch's, test and stabilize:

=media-libs/taglib-1.7-r1 "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Comment 3 Brent Baude (RETIRED) gentoo-dev 2012-03-10 17:08:05 UTC 
ppc done
Comment 4 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-03-10 22:14:23 UTC 
x86 stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2012-03-11 13:51:13 UTC 
ppc64 done
Comment 6 Agostino Sarubbo gentoo-dev 2012-03-11 15:41:33 UTC 
amd64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2012-03-13 11:41:47 UTC 
Stable for HPPA.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2012-03-17 17:34:26 UTC 
alpha/arm/ia64/sh/sparc stable
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-17 22:19:52 UTC 
Thanks, everyone.

GLSA vote: yes.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2012-03-19 05:36:21 UTC 
GLSA Vote: no.
Comment 11 Andreas K. Hüttel archtester gentoo-dev 2012-03-25 20:02:38 UTC 
Vulnerable version removed from the tree. Thanks everyone.
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2012-04-06 16:22:53 UTC 
Added to GLSA request with bug 410953.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-06-22 16:51:18 UTC 
This issue was resolved and addressed in
 GLSA 201206-16 at http://security.gentoo.org/glsa/glsa-201206-16.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-09-08 15:35:46 UTC 
CVE-2012-1108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1108):
  The parse function in ogg/xiphcomment.cpp in TagLib 1.7 and earlier allows
  remote attackers to cause a denial of service (crash) via a crafted
  vendorLength field in an ogg file.

CVE-2012-1107 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1107):
  The analyzeCurrent function in ape/apeproperties.cpp in TagLib 1.7 and
  earlier allows context-dependent attackers to cause a denial of service
  (application crash) via a crafted sampleRate in an ape file, which triggers
  a divide-by-zero error.