An integer overflow has been found in taglib. From a mail thread at [1]: On Sun, Mar 4, 2012 at 4:41 AM, Zubin Mithra <zubin.mithra at gmail.com> wrote: > - Sanity checks are not performed for fields read from a media file, which > are used to allocate memory later on. Causes DoS due to application crash at > the very least, exploitability is unconfirmed. > > An example :- > apeitem.cpp > APE::Item::parse(const ByteVector &data) > d->key = String(data.mid(8), String::UTF8); @kde, I believe this may be fixed in 1.7.1. If it is, can we move forward and stabilize that version? Thanks. [1] https://mail.kde.org/pipermail/taglib-devel/2012-March/002187.html
Yes go ahead!
Thanks. Arches, please test and mark stable: =media-libs/taglib-1.7.1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Stable for HPPA.
amd64 stable
x86 stable
arm stable
alpha/ia64/sh/sparc stable
ppc done
ppc64 done
Thank you all, kde is done here. Removing from cc. + 17 Apr 2012; Johannes Huber <johu@gentoo.org> + -files/taglib-1.7-security.patch, -taglib-1.7-r1.ebuild: + Remove old wrt bug #410953.
Thanks, everyone. GLSA already drafted and ready for review.
This issue was resolved and addressed in GLSA 201206-16 at http://security.gentoo.org/glsa/glsa-201206-16.xml by GLSA coordinator Sean Amoss (ackle).
CVE-2012-1584 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1584): Integer overflow in the mid function in toolkit/tbytevector.cpp in TagLib 1.7 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a crafted file header field in a media file, which triggers a large memory allocation.