Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 635548 (CVE-2017-12911, CVE-2017-12912)

Summary: <media-sound/mp3gain-1.6.1: Multiple vulnerabilities
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: chain, chainsaw, drmccoy, gentoo-bugs, ppc64, ppc, sound, treecleaner
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=630954
Whiteboard: B3 [noglsa cve]
Package list:
media-sound/mp3gain-1.6.1
 Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-27 00:52:06 UTC 
CVE-2017-12912 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12912):
  The "mpglibDBL/layer3.c" file in MP3Gain 1.5.2.r2 has a vulnerability which
  results in a read access violation when opening a crafted MP3 file.

CVE-2017-12911 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12911):
  The "apetag.c" file in MP3Gain 1.5.2.r2 has a vulnerability which results in
  a stack memory corruption when opening a crafted MP3 file.
Comment 1 Agostino Sarubbo gentoo-dev 2017-10-27 06:51:39 UTC 
the latter is a write issue which I had a way to see.
Comment 2 Herb Miller Jr. 2018-03-19 14:14:09 UTC 
Upstream fixed CVE-2017-12911 last month. It was a blocker for the 1.6.2 release. I'll ping them about CVE-2017-12912 soon as Sourceforge cooperates with me accessing my account.
Comment 3 Pacho Ramos gentoo-dev 2018-04-21 14:34:52 UTC 
[master ace29cb9d332] media-sound/mp3gain: Bump (#630954), fix CVE-2017-12911 (#635548)
 3 files changed, 112 insertions(+)
 create mode 100644 media-sound/mp3gain/files/mp3gain-1.6.1-CVE-2017-12911.patch
 create mode 100644 media-sound/mp3gain/mp3gain-1.6.1.ebuild

For the CVE-2017-12912 I couldn't find any fix :/ but I guess we can stabilize this version meantime
Comment 4 Pacho Ramos gentoo-dev 2018-04-21 14:38:47 UTC 
I am not sure if maybe clone this bug to cover the remaining security issue in the future :/

Anyway, for now we can stabilize 1.6.1
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2018-04-21 23:16:29 UTC 
(In reply to Pacho Ramos from comment #4)
> I am not sure if maybe clone this bug to cover the remaining security issue
> in the future :/
> 
> Anyway, for now we can stabilize 1.6.1

I think we can proceed to stabilize and address the other CVE with another stable call in this bug.
Comment 6 Larry the Git Cow gentoo-dev 2018-04-21 23:23:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5162ff386be42cbfaadbb0bfa40aa41308c5b4ae

commit 5162ff386be42cbfaadbb0bfa40aa41308c5b4ae
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-04-21 23:18:27 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-04-21 23:18:27 +0000

    media-sound/mp3gain: amd64 stable wrt bug #635548
    
    Bug: https://bugs.gentoo.org/635548
    Package-Manager: Portage-2.3.31, Repoman-2.3.9

 media-sound/mp3gain/mp3gain-1.6.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2018-04-22 01:36:13 UTC 
x86 stable
Comment 8 Matt Turner gentoo-dev 2018-04-22 19:17:42 UTC 
hppa stable
Comment 9 Matt Turner gentoo-dev 2018-04-22 20:29:23 UTC 
alpha stable
Comment 10 Larry the Git Cow gentoo-dev 2018-05-08 18:43:15 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c1fd2a3efff669160051b646a1bd48c419be2fdd

commit c1fd2a3efff669160051b646a1bd48c419be2fdd
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-05-08 18:20:17 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-08 18:42:40 +0000

    media-sound/mp3gain: stable 1.6.1 for sparc
    
    Bug: https://bugs.gentoo.org/635548
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 media-sound/mp3gain/mp3gain-1.6.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2018-06-11 15:22:25 UTC 
looks like ppc/ppc64 keywords were dropped.

Moving on.

GLSA Vote: No

Tree is clean.