Bug 622936

Summary:	<media-sound/lame-3.100-r1: multiple vulnerabilities (CVE-2017-{9869,9870,9871,9872})
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	sound
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa cve]
Package list:		Runtime testing required:	---
Bug Depends on:	634598
Bug Blocks:

Description Agostino Sarubbo gentoo-dev

2017-06-28 15:51:30 UTC

https://blogs.gentoo.org/ago/2017/06/17/lame-divide-by-zero-in-parse_wave_header-get_audio-c

https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-ii_step_one-layer2-c

https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-iii_i_stereo-layer3-c

https://blogs.gentoo.org/ago/2017/06/17/lame-heap-based-buffer-overflow-in-fill_buffer_resample-util-c

https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_i_stereo-layer3-c

https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_dequantize_sample-layer3-c

https://blogs.gentoo.org/ago/2017/06/17/lame-multiple-left-shift

https://blogs.gentoo.org/ago/2017/06/17/lame-two-ubsan-crashes

Comment 1 Agostino Sarubbo gentoo-dev

2017-06-28 15:52:05 UTC

And please consider also:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775959
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777160
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777161

Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev

2018-03-15 21:44:13 UTC

Downgrading, all reference produce DoS.

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2018-03-23 23:56:45 UTC

tree is clean.