Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 581952 (CVE-2016-4352)

Summary: <media-video/mplayer-1.3.0-r3: integer overflow
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: media-video
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
media-video/mplayer-1.3.0-r3 media-sound/toolame-02l-r4 arm
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-05-03 09:10:21 UTC
From ${URL} :

A crash caused by an integer overflow parsing a gif was found in the last
revision of mplayer. It seems to affect older versions too. It was recently
fixed (r37857). Technical details and a reproducer are available here:

I verified that this issue affects mencoder, so you should check if you are
using it for conversion of gif files. This crash was found by QuickFuzz.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev 2017-06-17 20:09:23 UTC
Comment 2 Alexis Ballier gentoo-dev 2017-10-08 12:24:20 UTC
this has been merged long ago in mplayer-1.3.0-r3.ebuild; cc'ing arches
Comment 3 Stabilization helper bot gentoo-dev 2017-10-08 13:01:10 UTC
An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad media-video/mplayer/mplayer-1.3.0-r3.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-sound/toolame']
> dependency.bad media-video/mplayer/mplayer-1.3.0-r3.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-sound/toolame']
Comment 4 Manuel RĂ¼ger (RETIRED) gentoo-dev 2017-10-11 17:44:44 UTC
Stable on amd64
Comment 5 Thomas Deutschmann gentoo-dev 2017-10-12 21:19:33 UTC
x86 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-13 00:15:26 UTC
ia64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-13 09:50:48 UTC
ppc/ppc64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-13 19:20:36 UTC
hppa stable
Comment 9 Markus Meier gentoo-dev 2017-10-14 06:15:50 UTC
arm stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2017-10-22 21:51:14 UTC
Stable on alpha.
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-22 23:59:11 UTC
Downgraded to B3. No PoC for ACE/RCE.

@maintainers, please clean the vulnerable versions.

GLSA Vote: No
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-11-11 20:30:45 UTC
please clean.