Bug 772317 (CVE-2021-3410)

Comment 1 Sam James 2021-02-27 15:14:18 UTC

Fixed in https://github.com/cacalabs/libcaca/commit/e4968ba6e93e9fd35429eb16895c785c51072015?

Comment 2 Andreas Sturmlechner 2021-03-01 00:25:00 UTC

opensuse applies quite a number of more patches than us over that code:

https://build.opensuse.org/package/show/multimedia:libs/libcaca

Comment 3 Larry the Git Cow 2021-05-22 11:39:27 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e49df2222085dded48b58473bc2fd6347f8352f

commit 9e49df2222085dded48b58473bc2fd6347f8352f
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2021-05-22 11:36:04 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2021-05-22 11:39:14 +0000

    media-libs/libcaca: fix multiple CVEs and docs build failure
    
    CVE fixed (using Debian patchset):
    CVE-2018-20544, CVE-2018-20545, CVE-2018-20546,
    CVE-2018-20547, CVE-2018-20549, CVE-2021-3410.
    
    Fix docs build failure (doxygen and latex issues) using both Debian
    patch and patch from bug 543870#c11.
    
    Install docs into proper path.
    
    Bug: https://bugs.gentoo.org/543870
    Bug: https://bugs.gentoo.org/772317
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 media-libs/libcaca/files/100_doxygen.diff          | 170 +++++++++++++++++++
 media-libs/libcaca/files/CVE-2018-20544.patch      |  45 +++++
 .../libcaca/files/CVE-2018-20545+20547+20549.patch |  34 ++++
 .../libcaca/files/CVE-2018-20546+20547.patch       |  36 ++++
 ...em-in-the-caca_resize-overflow-detection-.patch | 135 +++++++++++++++
 ...as-fix-an-integer-overflow-in-caca_resize.patch | 141 ++++++++++++++++
 media-libs/libcaca/files/fix-css-path.patch        |  12 ++
 media-libs/libcaca/libcaca-0.99_beta19-r4.ebuild   | 182 +++++++++++++++++++++
 8 files changed, 755 insertions(+)

Comment 4 Andrew Savchenko 2021-05-22 11:42:33 UTC

Security team, please note that multiple CVEs are present prior to -r4.

Also while I helped with current problem, I'm not a maintainer of this packages, so proceed with stabilization on your own or with @media-video team.

Comment 5 John Helmert III 2021-05-25 02:48:25 UTC

Thanks!

Comment 6 Sam James 2021-05-25 16:54:43 UTC

ppc64 done

Comment 7 Agostino Sarubbo 2021-05-25 18:58:21 UTC

amd64 stable

Comment 8 Agostino Sarubbo 2021-05-25 19:10:34 UTC

x86 stable

Comment 9 Sam James 2021-05-27 19:22:26 UTC

ppc done

Comment 10 Sam James 2021-05-28 00:28:45 UTC

arm done

Comment 11 Rolf Eike Beer 2021-05-28 15:46:11 UTC

sparc done

Comment 12 Sam James 2021-06-03 22:52:01 UTC

arm64 done

all arches done

Comment 13 John Helmert III 2021-06-04 02:12:12 UTC

Please cleanup.

Comment 15 Larry the Git Cow 2021-06-18 14:56:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a17a038ba653cf52039460cf79adca71ef4a2326

commit a17a038ba653cf52039460cf79adca71ef4a2326
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-06-18 14:55:58 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-18 14:56:11 +0000

    media-libs/libcaca: drop 0.99_beta19-r5, 0.99_beta19-r6
    
    Bug: https://bugs.gentoo.org/772317
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libcaca/libcaca-0.99_beta19-r5.ebuild | 151 --------------------
 media-libs/libcaca/libcaca-0.99_beta19-r6.ebuild | 173 -----------------------
 2 files changed, 324 deletions(-)

Comment 16 NATTkA bot 2021-06-18 15:12:29 UTC

Unable to check for sanity:

> no match for package: media-libs/libcaca-0.99_beta19-r4