CVE-2012-1107 [1] A crafted ogg file with sampleRate as "0" leads to crash in the application using taglib. Upstream Commit: https://github.com/taglib/taglib/commit/77d61c6eca4d08b9b025738acf6b926cc750db23 CVE-2012-1108 [2] "vendorLength" field modification in ogg tag parsing causes crash in the application using taglib. Upstream Commit: https://github.com/taglib/taglib/commit/ab8a0ee8937256311e649a88e8ddd7c7f870ad59 References: http://secunia.com/advisories/48211/
taglib-1.7-r1 in Portage with the two commits backported
Arch's, test and stabilize: =media-libs/taglib-1.7-r1 "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
ppc done
x86 stable
ppc64 done
amd64 stable
Stable for HPPA.
alpha/arm/ia64/sh/sparc stable
Thanks, everyone. GLSA vote: yes.
GLSA Vote: no.
Vulnerable version removed from the tree. Thanks everyone.
Added to GLSA request with bug 410953.
This issue was resolved and addressed in GLSA 201206-16 at http://security.gentoo.org/glsa/glsa-201206-16.xml by GLSA coordinator Sean Amoss (ackle).
CVE-2012-1108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1108): The parse function in ogg/xiphcomment.cpp in TagLib 1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted vendorLength field in an ogg file. CVE-2012-1107 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1107): The analyzeCurrent function in ape/apeproperties.cpp in TagLib 1.7 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a crafted sampleRate in an ape file, which triggers a divide-by-zero error.