Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 139593 - media-libs/adplug Multiple vulnerabilities (CVE-2006-358{1,2})
Summary: media-libs/adplug Multiple vulnerabilities (CVE-2006-358{1,2})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/archive/...
Whiteboard: B2 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-07-07 12:38 UTC by Alexander Færøy
Modified: 2006-09-12 12:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Færøy 2006-07-07 12:38:43 UTC
Have a look at this email from bugtraq:
http://www.securityfocus.com/archive/1/439432/30/0/threaded

I'll guess this also effects media-plugins/xmms-adplug

Regards
Alex (eroyf)
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-07 13:52:44 UTC
Sound please advise. The following is a short summary from URL:


 The library is affected by various heap and stack overflow
 vulnerabilities.
 As intuitable by the types of bugs almost all the unpacking
 instructions don't verify the size of the destination buffers and trust
 in the values provided by the same files which are used for allocating
 the needed buffers (except in the CFF files where it has a fixed size).
Comment 2 Luis Medinas (RETIRED) gentoo-dev 2006-07-07 14:13:08 UTC
according to the website the fix is in the CVS so i'll wait a few days and see if the upstream releases a new version. If not i'll patch it.
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-07 23:22:44 UTC
Thx Luis, setting it to upstream status for now.
Comment 4 Tony Vroon gentoo-dev 2006-07-10 16:26:46 UTC
Arch teams; please mark audacious 1.1.0 stable as it has a patched AdPlug backend. (As it does not use an external AdPlug, we do not have to wait for upstream to release. The necessary patches have been pinched from their CVS and are already applied.)
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-11 00:59:33 UTC
Handling audacious stable marking on bug #139957.
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-25 12:10:54 UTC
Ok a couple of days have passed, changing to ebuild status.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2006-08-12 07:46:22 UTC
(In reply to comment #2)
> according to the website the fix is in the CVS so i'll wait a few days and see
> if the upstream releases a new version. If not i'll patch it.

metalgod, please patch.
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-05 06:12:52 UTC
Sound, any news on this one?
Comment 9 Luis Medinas (RETIRED) gentoo-dev 2006-09-05 10:16:55 UTC
From what i saw xmms-adplug isn't affected... it's just a plugin. Since the main library is fixed the plugin is fine too.

So now we only need to stablize adplug.

Arches please stablize adplug-2.0.1. 
And to be more safe stablize xmms-adplug-1.2 too.
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2006-09-05 13:02:59 UTC
ppc stable
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2006-09-05 13:34:14 UTC
sparc stable.
Comment 12 Joshua Jackson (RETIRED) gentoo-dev 2006-09-05 20:57:35 UTC
x86 isn't last horray! ^.^
Comment 13 Thomas Cort (RETIRED) gentoo-dev 2006-09-06 07:12:37 UTC
amd64 stable.
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-06 07:38:58 UTC
This one is ready for GLSA.
Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-09-12 12:12:50 UTC
(In reply to comment #14)
> This one is ready for GLSA.
> 

and this one is done :)

GLSA 200609-06