Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 634598 (CVE-2017-15045, CVE-2017-15046)

Summary: <media-sound/lame-3.100: malformed mp3 input causes buffer overflow and heap over-read (CVE-2017-{15045,15046})
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: eike, leio, Manfred.Knick, sound
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 635014    
Bug Blocks: 622936, 635380    

Description Aleksandr Wagner (Kivak) 2017-10-18 01:23:12 UTC
CVE-2017-15045 (

LAME 3.99.5 has a heap-based buffer over-read in fill_buffer in libmp3lame/util.c, related to lame_encode_buffer_sample_t in libmp3lame/lame.c, a different vulnerability than CVE-2017-9410.


CVE-2017-15046 (

LAME 3.99.5 has a stack-based buffer overflow in unpack_read_samples in frontend/get_audio.c, a different vulnerability than CVE-2017-9412.

Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2017-10-18 06:28:39 UTC
commit cac3017eed6bec4140ba2dec99d67365bb1da66f (HEAD -> master, origin/master, origin/HEAD)
Author: Lars Wendler <>
Date:   Wed Oct 18 08:26:42 2017

    media-sound/lame: Security bump to version 3.100 (bug #634598).

    Package-Manager: Portage-2.3.11, Repoman-2.3.3

I'd prefer to give this version some testing in ~arch first given that this is the first new release in years from that project...
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2017-10-25 07:19:41 UTC
Arches please test and mark stable =media-sound/lame-3.100 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris
Comment 3 Agostino Sarubbo gentoo-dev 2017-10-25 09:32:09 UTC
amd64 stable
Comment 4 Thomas Deutschmann gentoo-dev 2017-10-26 17:38:54 UTC
x86 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-26 19:13:26 UTC
hppa stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-26 21:33:04 UTC
ia64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-26 21:47:50 UTC
ppc stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-28 22:23:02 UTC
ppc64 stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2017-11-08 12:52:55 UTC
Stable on alpha.
Comment 10 Aleksandr Wagner (Kivak) 2017-11-08 17:20:12 UTC
@ Maintainer(s): Stabilization is complete, please clean the vulnerable
versions from the tree.
Comment 11 Markus Meier gentoo-dev 2017-11-19 15:09:49 UTC
arm stable
Comment 12 Rolf Eike Beer archtester 2017-11-23 16:57:25 UTC
Builds fine on sparc, but how to test?
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-15 16:08:17 UTC
sparc is an unstable arch.

@sound, please clean or mask the vulnerable version.
Comment 14 Rolf Eike Beer archtester 2018-01-15 16:55:09 UTC
I have no sound hw in my sparc, the day I know how to sanely test this without I can mark it stable.
Comment 15 Mart Raudsepp gentoo-dev 2018-03-15 03:02:24 UTC
lame is an encoder, not decoder. So I guess you can just convert a wav into mp3 with lame on sparc and then grab that mp3 and see if playback of that file is good enough on a sound capable system or something.
Comment 16 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-15 21:40:39 UTC
GLSA Vote: No.

@Maintainers please clean vulnerable versions.

(In reply to Rolf Eike Beer from comment #14)
> I have no sound hw in my sparc, the day I know how to sanely test this
> without I can mark it stable.

Rolf, hopefully with Mart's comment (#15) you'll be able to test lame, but security supported arches are done since 2017-11, we need to move on with this report.
Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-17 13:16:20 UTC
sparc stable
Comment 18 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-03-23 23:56:04 UTC
tree is clean.