Summary: | <media-sound/lame-3.100: malformed mp3 input causes buffer overflow and heap over-read (CVE-2017-{15045,15046}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Aleksandr Wagner (Kivak) <alwag> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | eike, leio, Manfred.Knick, sound |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.opensuse.org/show_bug.cgi?id=1061973, https://bugzilla.opensuse.org/show_bug.cgi?id=1061970 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
=media-sound/lame-3.100-r1
|
Runtime testing required: | --- |
Bug Depends on: | 635014 | ||
Bug Blocks: | 622936, 635380 |
Description
Aleksandr Wagner (Kivak)
2017-10-18 01:23:12 UTC
commit cac3017eed6bec4140ba2dec99d67365bb1da66f (HEAD -> master, origin/master, origin/HEAD) Author: Lars Wendler <polynomial-c@gentoo.org> Date: Wed Oct 18 08:26:42 2017 media-sound/lame: Security bump to version 3.100 (bug #634598). Package-Manager: Portage-2.3.11, Repoman-2.3.3 I'd prefer to give this version some testing in ~arch first given that this is the first new release in years from that project... Arches please test and mark stable =media-sound/lame-3.100 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris amd64 stable x86 stable hppa stable ia64 stable ppc stable ppc64 stable Stable on alpha. @ Maintainer(s): Stabilization is complete, please clean the vulnerable versions from the tree. arm stable Builds fine on sparc, but how to test? sparc is an unstable arch. @sound, please clean or mask the vulnerable version. I have no sound hw in my sparc, the day I know how to sanely test this without I can mark it stable. lame is an encoder, not decoder. So I guess you can just convert a wav into mp3 with lame on sparc and then grab that mp3 and see if playback of that file is good enough on a sound capable system or something. GLSA Vote: No. @Maintainers please clean vulnerable versions. (In reply to Rolf Eike Beer from comment #14) > I have no sound hw in my sparc, the day I know how to sanely test this > without I can mark it stable. Rolf, hopefully with Mart's comment (#15) you'll be able to test lame, but security supported arches are done since 2017-11, we need to move on with this report. sparc stable tree is clean. |