Bug 695540 (CVE-2018-19502, CVE-2018-19503, CVE-2018-19504, CVE-2018-20194, CVE-2018-20195, CVE-2018-20196, CVE-2018-20197, CVE-2018-20198, CVE-2018-20199, CVE-2018-20357, CVE-2018-20358, CVE-2018-20359, CVE-2018-20360, CVE-2018-20361, CVE-2018-20362, CVE-2019-15296, CVE-2019-6956)

Summary:	<media-libs/faad2-2.9.0: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	sound
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [glsa+ cve]
Package list:	media-libs/faad2-2.9.0	Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2019-09-24 12:34:13 UTC

CVE-2019-6956 (https://nvd.nist.gov/vuln/detail/CVE-2019-6956):
  An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8.
  It is a buffer over-read in ps_mix_phase in libfaad/ps_dec.c.

CVE-2018-20196 (https://nvd.nist.gov/vuln/detail/CVE-2018-20196):
  There is a stack-based buffer overflow in the third instance of the
  calculate_gain function in libfaad/sbr_hfadj.c in Freeware Advanced Audio
  Decoder 2 (FAAD2) 2.8.8. A crafted input will lead to a denial of service or
  possibly unspecified other impact because the S_M array is mishandled.

CVE-2018-20199 (https://nvd.nist.gov/vuln/detail/CVE-2018-20199):
  A NULL pointer dereference was discovered in ifilter_bank of
  libfaad/filtbank.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The
  vulnerability causes a segmentation fault and application crash, which leads
  to denial of service because adding to windowed output is mishandled in the
  ONLY_LONG_SEQUENCE case.

CVE-2018-20360 (https://nvd.nist.gov/vuln/detail/CVE-2018-20360):
  An invalid memory address dereference was discovered in the
  sbr_process_channel function of libfaad/sbr_dec.c in Freeware Advanced Audio
  Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and
  application crash, which leads to denial of service.

CVE-2018-20362 (https://nvd.nist.gov/vuln/detail/CVE-2018-20362):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2018-19504 (https://nvd.nist.gov/vuln/detail/CVE-2018-19504):
  An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.1.
  There is a NULL pointer dereference in ifilter_bank() in libfaad/filtbank.c.

CVE-2018-20195 (https://nvd.nist.gov/vuln/detail/CVE-2018-20195):
  A NULL pointer dereference was discovered in ic_predict of
  libfaad/ic_predict.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The
  vulnerability causes a segmentation fault and application crash, which leads
  to denial of service.

CVE-2018-20198 (https://nvd.nist.gov/vuln/detail/CVE-2018-20198):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2018-20358 (https://nvd.nist.gov/vuln/detail/CVE-2018-20358):
  An invalid memory address dereference was discovered in the lt_prediction
  function of libfaad/lt_predict.c in Freeware Advanced Audio Decoder 2
  (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application
  crash, which leads to denial of service.

CVE-2018-20194 (https://nvd.nist.gov/vuln/detail/CVE-2018-20194):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2018-19503 (https://nvd.nist.gov/vuln/detail/CVE-2018-19503):
  An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.1.
  There was a stack-based buffer overflow in the function calculate_gain() in
  libfaad/sbr_hfadj.c.

CVE-2018-20197 (https://nvd.nist.gov/vuln/detail/CVE-2018-20197):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2018-20357 (https://nvd.nist.gov/vuln/detail/CVE-2018-20357):
  A NULL pointer dereference was discovered in sbr_process_channel of
  libfaad/sbr_dec.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The
  vulnerability causes a segmentation fault and application crash.

CVE-2018-20359 (https://nvd.nist.gov/vuln/detail/CVE-2018-20359):
  An invalid memory address dereference was discovered in the
  sbrDecodeSingleFramePS function of libfaad/sbr_dec.c in Freeware Advanced
  Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault
  and application crash, which leads to denial of service.

CVE-2018-20361 (https://nvd.nist.gov/vuln/detail/CVE-2018-20361):
  An invalid memory address dereference was discovered in the hf_assembly
  function of libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2)
  2.8.8. The vulnerability causes a segmentation fault and application crash,
  which leads to denial of service.

CVE-2019-15296 (https://nvd.nist.gov/vuln/detail/CVE-2019-15296):
  An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8.
  The faad_resetbits function in libfaad/bits.c is affected by a buffer
  overflow vulnerability. The number of bits to be read is determined by
  ld->buffer_size - words*4, cast to uint32. If ld->buffer_size - words*4 is
  negative, a buffer overflow is later performed via
  getdword_n(&ld->start[words], ld->bytes_left).

CVE-2018-19502 (https://nvd.nist.gov/vuln/detail/CVE-2018-19502):
  An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.1.
  There was a heap-based buffer overflow in the function excluded_channels()
  in libfaad/syntax.c.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2019-09-24 12:35:53 UTC

Please bump to >=2.9.0

Comment 2 Larry the Git Cow gentoo-dev

2019-10-26 20:14:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28ed452f4ad9a6a5ee8a1edd31bf8d68834a7b06

commit 28ed452f4ad9a6a5ee8a1edd31bf8d68834a7b06
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-26 20:13:36 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-26 20:14:06 +0000

    media-libs/faad2: bump to v2.9.0
    
    Bug: https://bugs.gentoo.org/695540
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-libs/faad2/Manifest           |  1 +
 media-libs/faad2/faad2-2.9.0.ebuild | 55 +++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2019-10-27 23:21:32 UTC

x86 stable

Comment 4 Agostino Sarubbo gentoo-dev

2019-10-28 09:44:33 UTC

amd64 stable

Comment 5 Mikle Kolyada (RETIRED) archtester

2019-11-01 10:47:42 UTC

arm stable

Comment 6 Rolf Eike Beer archtester

2019-11-02 13:28:04 UTC

hppa and sparc stable

Comment 7 Aaron Bauman (RETIRED) gentoo-dev

2019-11-06 22:51:50 UTC

arm64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2019-11-12 10:38:55 UTC

ppc64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2019-11-12 18:09:08 UTC

ppc stable

Comment 10 Agostino Sarubbo gentoo-dev

2019-11-13 16:10:40 UTC

ia64 stable

Comment 11 James Le Cuirot gentoo-dev

2019-11-23 13:47:35 UTC

https://github.com/knik0/faad2/commit/466b01d504d7e45f1e9169ac90b3e34ab94aed14 in 2.9.0 has broken XMMS2. Just thought you should know.

Comment 12 Sam James archtester

2020-04-02 08:50:17 UTC

(In reply to James Le Cuirot from comment #11)
> https://github.com/knik0/faad2/commit/
> 466b01d504d7e45f1e9169ac90b3e34ab94aed14 in 2.9.0 has broken XMMS2. Just
> thought you should know.

Sound team need to deal with this given it's been stabilised. Maybe file a new bug?

---
@maintainer(s), please cleanup.

Comment 13 NATTkA bot gentoo-dev

2020-04-06 15:06:14 UTC

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 14 James Le Cuirot gentoo-dev

2020-04-14 21:32:53 UTC

(In reply to Sam James (sec padawan) from comment #12)
> (In reply to James Le Cuirot from comment #11)
> > https://github.com/knik0/faad2/commit/
> > 466b01d504d7e45f1e9169ac90b3e34ab94aed14 in 2.9.0 has broken XMMS2. Just
> > thought you should know.
> 
> Sound team need to deal with this given it's been stabilised. Maybe file a
> new bug?

I've pushed a patch.

Comment 15 Yury German Gentoo Infrastructure

2020-05-22 01:41:21 UTC

Maintainer(s), it has been 30 days + since request for cleanup. 
Please drop the vulnerable version(s).

New GLSA Request filed.

Comment 16 Larry the Git Cow gentoo-dev

2020-05-23 10:17:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=88469679c770b8742a3649e971fc5522442216c1

commit 88469679c770b8742a3649e971fc5522442216c1
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2020-05-23 10:16:40 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2020-05-23 10:16:40 +0000

    media-libs/faad2: Drop old and vulnerable 2.8.8
    
    Bug: https://bugs.gentoo.org/695540
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 media-libs/faad2/Manifest                          |  1 -
 media-libs/faad2/faad2-2.8.8.ebuild                | 53 ----------------------
 .../files/faad2-2.8.5-libmp4ff-shared-lib.patch    | 15 ------
 3 files changed, 69 deletions(-)

Comment 17 GLSAMaker/CVETool Bot gentoo-dev

2020-06-15 15:50:48 UTC

This issue was resolved and addressed in
 GLSA 202006-17 at https://security.gentoo.org/glsa/202006-17
by GLSA coordinator Aaron Bauman (b-man).