Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 667510 (CVE-2017-17054, CVE-2018-14521, CVE-2018-14522, CVE-2018-14523)

Summary: <media-libs/aubio-0.4.7: Multiple vulnerabilities
Product: Gentoo Security Reporter: Andreas Sturmlechner <asturm>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal Flags: stable-bot: sanity-check+
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
media-libs/aubio-0.4.7
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 650896    

Description Andreas Sturmlechner gentoo-dev 2018-10-01 20:20:30 UTC
CVE-2017-17054, http://cve.circl.lu/cve/CVE-2017-17054
Published 2017-11-29T02:29:00.257000
In aubio 0.4.6, a divide-by-zero error exists in the function new_aubio_source_wavread() in source_wavread.c, which may lead to DoS when playing a crafted audio file.

CVE-2018-14521, http://cve.circl.lu/cve/CVE-2018-14521
Published 2018-07-23T04:29:00.467000
An issue was discovered in aubio 0.4.6. A SEGV signal can occur in aubio_source_avcodec_readframe in io/source_avcodec.c, as demonstrated by aubiomfcc.

CVE-2018-14522, http://cve.circl.lu/cve/CVE-2018-14522
Published 2018-07-23T04:29:00.513000
An issue was discovered in aubio 0.4.6. A SEGV signal can occur in aubio_pitch_set_unit in pitch/pitch.c, as demonstrated by aubionotes.

CVE-2018-14523, http://cve.circl.lu/cve/CVE-2018-14523
Published 2018-07-23T04:29:00.560000
An issue was discovered in aubio 0.4.6. A buffer over-read can occur in new_aubio_pitchyinfft in pitch/pitchyinfft.c, as demonstrated by aubionotes.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-10-01 22:43:30 UTC
x86 stable
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-10-04 09:00:38 UTC
amd64 stable
Comment 3 Rolf Eike Beer 2018-10-04 21:07:51 UTC
sparc done.
Comment 4 Matt Turner gentoo-dev 2018-10-06 16:19:43 UTC
ppc64 stable.

all arches stable
Comment 5 Larry the Git Cow gentoo-dev 2018-10-06 19:45:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=640bb6cccb3c071724ae448942c4e37e9d6821f0

commit 640bb6cccb3c071724ae448942c4e37e9d6821f0
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-10-06 19:33:01 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-10-06 19:45:14 +0000

    media-libs/aubio: Security cleanup
    
    Bug: https://bugs.gentoo.org/667510
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>
    Package-Manager: Portage-2.3.50, Repoman-2.3.11

 media-libs/aubio/Manifest                         |   3 -
 media-libs/aubio/aubio-0.4.1-r1.ebuild            | 104 --------------------
 media-libs/aubio/aubio-0.4.2-r1.ebuild            | 105 --------------------
 media-libs/aubio/aubio-0.4.6.ebuild               | 111 ----------------------
 media-libs/aubio/files/aubio-0.4.1-ffmpeg29.patch |  22 -----
 media-libs/aubio/files/aubio-0.4.6-ffmpeg4.patch  |  13 ---
 6 files changed, 358 deletions(-)
Comment 6 Andreas Sturmlechner gentoo-dev 2018-10-28 13:11:52 UTC
proaudio is done here, anyway...