Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 673742 (CVE-2018-20430, CVE-2018-20431)

Summary: <media-libs/libextractor-1.8-r1: multiple vulnerabilities
Product: Gentoo Security Reporter: Melissa Mcdonald <melrosemc216599>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: asturm, maintainer-needed
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
media-libs/libextractor-1.8-r1
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 674968    

Description Melissa Mcdonald 2018-12-26 06:51:30 UTC 
GNU Libextractor is prone to multiple security vulnerabilities.
https://gnunet.org/bugs/view.php?id=5494
https://gnunet.org/bugs/view.php?id=5493

1. A remote denial-of-service vulnerability
2. An out-of-bound read access vulnerability

Attackers can exploit these issues to crash the application denying service to legitimate users or disclose sensitive information that may aid in further attacks.
Comment 1 Andreas Sturmlechner gentoo-dev 2018-12-26 09:44:56 UTC 
Apparently fixed in upstream 1.9.
Comment 2 Larry the Git Cow gentoo-dev 2018-12-29 22:02:23 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=10ca5198d87e67194880e4421dc4a3d348211008

commit 10ca5198d87e67194880e4421dc4a3d348211008
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-12-29 20:21:07 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-12-29 22:02:01 +0000

    media-libs/libextractor: Fix CVE-2018-20430, CVE-2018-20431
    
    Bug: https://bugs.gentoo.org/673742
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../files/libextractor-1.8-CVE-2018-20430.patch    |  49 +++++++++
 .../files/libextractor-1.8-CVE-2018-20431.patch    |  39 +++++++
 media-libs/libextractor/libextractor-1.8-r1.ebuild | 117 +++++++++++++++++++++
 3 files changed, 205 insertions(+)
Comment 3 Andreas Sturmlechner gentoo-dev 2018-12-30 00:08:40 UTC 
Arches, please stabilise.
Comment 4 ernsteiswuerfel archtester 2018-12-30 20:18:44 UTC 
Looking good on ppc/ppc64.

# cat /mnt/mychroot/root/tatt/libextractor-673742.report 
USE tests started on So 30. Dez 15:32:37 CET 2018

FEATURES=' test' USE='' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 -ffmpeg -flac gif -gsf -gstreamer -gtk jpeg -magic midi mp4 mpeg -tidy tiff -vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='-archive bzip2 ffmpeg -flac -gif -gsf -gstreamer gtk jpeg -magic -midi mp4 -mpeg -tidy tiff vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive -bzip2 -ffmpeg -flac -gif -gsf -gstreamer gtk jpeg -magic -midi -mp4 mpeg -tidy tiff vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='-archive -bzip2 -ffmpeg -flac -gif -gsf gstreamer -gtk jpeg -magic -midi mp4 -mpeg tidy tiff vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive -bzip2 ffmpeg flac -gif -gsf gstreamer gtk -jpeg -magic -midi mp4 -mpeg -tidy -tiff -vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg flac gif -gsf -gstreamer -gtk -jpeg -magic midi -mp4 mpeg tidy -tiff -vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg flac -gif gsf gstreamer gtk jpeg magic midi mp4 mpeg tidy -tiff -vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg -flac gif -gsf -gstreamer gtk -jpeg magic midi mp4 -mpeg tidy -tiff vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 -ffmpeg -flac gif gsf -gstreamer gtk -jpeg magic midi mp4 -mpeg tidy -tiff vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 -ffmpeg -flac -gif gsf gstreamer -gtk jpeg -magic midi -mp4 mpeg -tidy tiff vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='-archive -bzip2 -ffmpeg flac -gif -gsf -gstreamer -gtk jpeg -magic -midi mp4 mpeg -tidy tiff vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive -bzip2 ffmpeg flac gif -gsf gstreamer -gtk jpeg -magic midi mp4 mpeg tidy tiff vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1

revdep tests started on So 30. Dez 16:30:41 CET 2018

FEATURES=' test' USE='' succeeded for dev-python/libextractor-python

# cat libextractor-673742.report 
USE tests started on So 30. Dez 20:56:08 CET 2018

FEATURES=' test' USE='' succeeded for =media-libs/libextractor-1.8-r1
USE='archive -bzip2 ffmpeg flac -gif gsf gstreamer gtk -jpeg -magic -midi -mp4 mpeg -tidy -tiff -vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg flac gif gsf gstreamer -gtk -jpeg -magic -midi mp4 -mpeg tidy -tiff -vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg -flac -gif gsf -gstreamer -gtk -jpeg -magic -midi -mp4 mpeg -tidy tiff -vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='-archive -bzip2 -ffmpeg flac -gif gsf -gstreamer -gtk -jpeg -magic midi -mp4 mpeg -tidy tiff -vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg -flac gif gsf -gstreamer -gtk -jpeg -magic midi mp4 mpeg -tidy tiff -vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg -flac -gif gsf -gstreamer -gtk -jpeg magic midi -mp4 -mpeg -tidy -tiff vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='-archive bzip2 ffmpeg -flac -gif -gsf gstreamer gtk jpeg -magic midi mp4 mpeg tidy -tiff vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='-archive -bzip2 ffmpeg -flac -gif -gsf -gstreamer gtk jpeg magic -midi mp4 -mpeg tidy -tiff -vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg flac gif -gsf gstreamer -gtk jpeg magic midi mp4 mpeg -tidy tiff -vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='-archive -bzip2 ffmpeg -flac gif -gsf gstreamer gtk -jpeg magic -midi -mp4 -mpeg tidy tiff -vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='-archive -bzip2 ffmpeg flac gif gsf -gstreamer gtk jpeg magic -midi mp4 mpeg -tidy -tiff vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg flac -gif -gsf -gstreamer gtk -jpeg -magic midi -mp4 -mpeg -tidy tiff vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1

revdep tests started on So 30. Dez 21:15:47 CET 2018

FEATURES=' test' USE='' succeeded for dev-python/libextractor-python
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:19:36 UTC 
ppc stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:21:41 UTC 
ppc64 stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2019-01-09 01:36:52 UTC 
x86 stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-01-14 15:59:46 UTC 
amd64 stable