Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 618022 (CVE-2017-8372, CVE-2017-8373, CVE-2017-8374)

Summary: <media-libs/libmad-0.15.1b-r9: multiple vulnerabilities (CVE-2017-{8372,8373,8374})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: nobrowser, sound
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [noglsa cve]
Package list:
media-libs/libmad-0.15.1b-r9
Runtime testing required: ---

Comment 1 Thomas Deutschmann gentoo-dev Security 2017-06-04 23:21:26 UTC
Debian seems to use patch https://sources.debian.net/src/libmad/0.15.1b-8/debian/patches/frame_length.diff/ for all the reported vulnerabilities.
Comment 2 Larry the Git Cow gentoo-dev 2018-10-03 21:11:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a877b25c4d29e1e60df8af384725e83c093fa734

commit a877b25c4d29e1e60df8af384725e83c093fa734
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-10-03 20:48:42 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-10-03 21:11:27 +0000

    media-libs/libmad: Fix vulnerabilities, EAPI-7 bump
    
    Debian does it, so let's use it too.
    
    Bug: https://bugs.gentoo.org/618022
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>
    Package-Manager: Portage-2.3.50, Repoman-2.3.11

 ...CVE-2017-8372_CVE-2017-8373_CVE-2017-8374.patch | 197 +++++++++++++++++++++
 media-libs/libmad/libmad-0.15.1b-r9.ebuild         |  80 +++++++++
 2 files changed, 277 insertions(+)
Comment 3 Sergei Trofimovich gentoo-dev 2018-10-04 23:12:42 UTC
ia64 stable
Comment 4 Thomas Deutschmann gentoo-dev Security 2018-10-05 04:52:02 UTC
x86 stable
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-10-05 08:50:10 UTC
amd64 stable
Comment 6 Matt Turner gentoo-dev 2018-10-06 16:15:18 UTC
ppc/ppc64 stable
Comment 7 Sergei Trofimovich gentoo-dev 2018-10-06 22:31:55 UTC
hppa stable
Comment 8 Tobias Klausmann gentoo-dev 2018-10-13 06:59:19 UTC
Stable on alpha.
Comment 9 Markus Meier gentoo-dev 2018-10-29 05:37:20 UTC
arm stable
Comment 10 Larry the Git Cow gentoo-dev 2018-11-04 22:51:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e128741cd6e2f3e753c76a2d0b69847044686a7b

commit e128741cd6e2f3e753c76a2d0b69847044686a7b
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-11-04 22:49:51 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-11-04 22:50:43 +0000

    media-libs/libmad: Security cleanup
    
    Bug: https://bugs.gentoo.org/618022
    Package-Manager: Portage-2.3.51, Repoman-2.3.12
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/libmad/libmad-0.15.1b-r8.ebuild | 76 ------------------------------
 1 file changed, 76 deletions(-)
Comment 11 Rolf Eike Beer 2018-11-08 23:03:41 UTC
sparc stable
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-11-25 04:17:00 UTC
tree is clean.