Summary: | <media-sound/mpg321-0.3.2: out-of-bounds write in scan() function in mad.c (CVE-2019-14247) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | azamat.hackimov, sound |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://github.com/gentoo/gentoo/pull/16066 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
=media-sound/mpg321-0.3.2 *
|
Runtime testing required: | --- |
Description
Sam James
2020-03-08 23:08:40 UTC
Removing CVE-2017-11552 which only affects media-libs/libmad and is tracked in bug 626822. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33364299eee045ae5df62612a33c9c80dbbe792c commit 33364299eee045ae5df62612a33c9c80dbbe792c Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2020-06-04 17:51:17 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-06 01:49:13 +0000 media-sound/mpg321: update ebuild Applied security fix from Debian for CVE-2019-14247 (#711918), fixed compilation on GCC10 (#706740), updated ebuild to EAPI 7. Bug: https://bugs.gentoo.org/711918 Closes: https://bugs.gentoo.org/706740 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/16066 Signed-off-by: Aaron Bauman <bman@gentoo.org> .../mpg321/files/mpg321-0.3.2-CVE-2019-14247.patch | 20 ++++++ .../files/mpg321-0.3.2-format-security.patch | 4 +- media-sound/mpg321/files/mpg321-0.3.2-gcc10.patch | 83 ++++++++++++++++++++++ media-sound/mpg321/mpg321-0.3.2.ebuild | 12 +++- 4 files changed, 114 insertions(+), 5 deletions(-) @Azamat, thank you for the PR! Let's try out stabilisation. (In reply to Sam James (sec padawan) from comment #3) > @Azamat, thank you for the PR! Let's try out stabilisation. Actually, let's give it a day or two. Changed the rating. Oh, this went straight-to-stable with just the patches included in the existing version -- no version bump. This makes a GLSA challenging. In future, please revbump when including patches which affect the installed version. I'v done what asked to https://github.com/gentoo/gentoo/pull/16066#issuecomment-639147750 |