Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 217715 - media-libs/speex <1.2_beta3_p2 introduces checks for negative header mode
Summary: media-libs/speex <1.2_beta3_p2 introduces checks for negative header mode
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
: 217820 (view as bug list)
Depends on:
Blocks: 216499 217373 217595 217602 217603 217605 217609
  Show dependency tree
 
Reported: 2008-04-14 20:01 UTC by Robert Buchholz (RETIRED)
Modified: 2020-04-08 21:46 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-04-14 20:01:33 UTC
xiph's (lib)speex 1.2 beta 3.2 has been tagged that fixes CVE-2008-1686 directly in the the speex_header_to_packet() function which applications use. Sanitations inside applications are therefore unnecessary.

Patch:
  https://trac.xiph.org/changeset/14701
Comment 1 Samuli Suominen gentoo-dev 2008-04-15 09:35:05 UTC
And we have it in Portage now,

*speex-1.2_beta3_p2 (15 Apr 2008)

  15 Apr 2008; Samuli Suominen <drac@gentoo.org> -speex-1.1.7.ebuild,
  +speex-1.2_beta3_p2.ebuild:
  Version bump.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-04-15 10:38:43 UTC
Arch Security Liaisons, please test and mark stable:
=media-libs/speex-1.2_beta3_p2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sh sparc x86"

CC'ing current Liaisons:
   alpha : ferdy
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2008-04-15 13:17:57 UTC
Adding Tobias for alpha
Comment 4 Ferris McCormick (RETIRED) gentoo-dev 2008-04-15 13:46:01 UTC
Sparc stable (tested with {.wav}).
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2008-04-15 16:17:10 UTC
ppc64 stable
Comment 6 Samuli Suominen gentoo-dev 2008-04-15 16:51:29 UTC
amd64 stable, tested by playing with ogg123 (vorbis-tools using USE speex) and
converting .spx to .wav and back to .spx using speexdec and speexenc
also tested by an AT (VQuickSilver, Freenode), thanks to him

Comment 7 Tobias Klausmann gentoo-dev 2008-04-15 20:00:45 UTC
Stable for alpha.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-04-15 21:53:19 UTC
*** Bug 217820 has been marked as a duplicate of this bug. ***
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-04-16 19:08:12 UTC
ppc stable
Comment 10 Markus Meier gentoo-dev 2008-04-17 01:04:10 UTC
x86 stable
Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-17 09:42:39 UTC
now public via http://www.ocert.org/advisories/ocert-2008-004.html
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-17 09:59:20 UTC
removing arch security liaisons, adding missing arches, adding sound herd
hope I didn't forget to remove/add anyone

glsa request filed
Comment 13 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-17 10:02:30 UTC
really removing this time
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2008-04-17 10:18:10 UTC
ia64 stable
Comment 15 Tobias Klausmann gentoo-dev 2008-04-17 10:53:48 UTC
Removing myself since I stood in for ferdy as sec liaison for Alpha.
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-04-17 12:15:52 UTC
GLSA 200804-17.
Comment 17 Peter Volkov (RETIRED) gentoo-dev 2008-04-21 08:16:15 UTC
Fixed in release snapshot.