Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 598208 (CVE-2016-9085)

Summary: <media-libs/libwebp-0.5.2: several integer overflow (CVE-2016-9085)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: chromium, graphics+disabled
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2016/10/26/9
Whiteboard: A2 [glsa cve]
Package list:
=media-libs/libwebp-0.5.2
Runtime testing required: ---
Bug Depends on: 595526    
Bug Blocks: 597756    

Description Agostino Sarubbo gentoo-dev 2016-10-27 08:19:04 UTC
From ${URL} :

* Several integer overflows:

Report: https://bugs.chromium.org/p/webp/issues/detail?id=314 (private)

Fix:
https://chromium.googlesource.com/webm/libwebp/+/e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83




@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2016-10-27 08:20:24 UTC
There is also:


* NULL pointer derreference

Bug report: https://bugs.chromium.org/p/webp/issues/detail?id=310 (private)

Fix:
https://chromium.googlesource.com/webm/libwebp/+/806f6279aef4de8deca01c8e727db4a508716e95


which did not receive a CVE but would be great to have the fix in the tree.
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-01-09 23:04:29 UTC
Fixed via https://github.com/webmproject/libwebp/commit/bb23361 and https://github.com/webmproject/libwebp/commit/883d41f


@ Maintainer(s): Can we start stabilization of =media-libs/libwebp-0.5.2?
Comment 3 Mike Gilbert gentoo-dev 2017-01-09 23:14:36 UTC
No objection from me.
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-01-10 00:04:27 UTC
@ Arches,

please test and mark stable: =media-libs/libwebp-0.5.2
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-10 12:35:40 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-10 15:23:56 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-01-11 10:49:50 UTC
sparc stable
Comment 8 Jeroen Roovers gentoo-dev 2017-01-12 13:58:07 UTC
(In reply to Mike Gilbert from comment #3)
> No objection from me.

You checked for open bugs against the package?
Comment 9 Markus Meier gentoo-dev 2017-01-13 16:55:46 UTC
arm stable
Comment 10 Jeroen Roovers gentoo-dev 2017-01-15 00:36:41 UTC
Stable for HPPA.
Comment 11 Mike Gilbert gentoo-dev 2017-01-15 00:43:08 UTC
(In reply to Jeroen Roovers from comment #8)
> You checked for open bugs against the package?

Yes, and I saw an unconfirmed bug report for an issue that only occurs with stupid CFLAGS.
Comment 12 Jeroen Roovers gentoo-dev 2017-01-15 12:01:15 UTC
(In reply to Mike Gilbert from comment #11)
> (In reply to Jeroen Roovers from comment #8)
> > You checked for open bugs against the package?
> 
> Yes, and I saw an unconfirmed bug report for an issue that only occurs with
> stupid CFLAGS.

1. It's unconfirmed so it needed further investigation, which could easily be
   done by using the CFLAGS from the bug report to reproduce the issue.
2. Since the fix was to employ some configure flags that were helpfully put in
   place upstream already, upstream apparently don't regard them as "stupid"
   like you do.
3. I can CC and un-CC myself. You don't need to do anything. Please don't.
Comment 13 Agostino Sarubbo gentoo-dev 2017-01-15 16:01:47 UTC
ppc stable
Comment 14 Mike Gilbert gentoo-dev 2017-01-15 17:00:18 UTC
(In reply to Jeroen Roovers from comment #12)

Sorry for my flippant response.

> I can CC and un-CC myself. You don't need to do anything. Please don't.

I copied you so that you would see my response, that's all.
Comment 15 Tobias Klausmann gentoo-dev 2017-01-15 22:20:54 UTC
Stable on alpha.
Comment 16 Agostino Sarubbo gentoo-dev 2017-01-17 14:37:36 UTC
ia64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2017-01-18 10:05:21 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 18 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-19 08:49:43 UTC
GLSA request filed.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2017-01-24 11:07:19 UTC
This issue was resolved and addressed in
 GLSA 201701-61 at https://security.gentoo.org/glsa/201701-61
by GLSA coordinator Aaron Bauman (b-man).
Comment 20 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-24 11:08:21 UTC
re-opened for cleanup
Comment 21 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-27 00:10:10 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 22 Mike Gilbert gentoo-dev 2017-05-27 02:30:59 UTC
Done.
Comment 23 Thomas Deutschmann gentoo-dev Security 2017-05-27 09:20:33 UTC
Repository is clean, all done.

@ Arches and Maintainer(s): Thank you for your work.