From ${URL} : The open source libass library is used to read and render subtitles onto images or frames of a movie. It is a popular library used in a few well-known media players. It seems it is usually shipped statically? Not sure. https://github.com/libass/libass <https://github.com/libass/libass> Attached are 4 test cases and their asan/valgrind results tested against version 0.13.3. One is in wrap_lines_smart() (https://github.com/libass/libass/pull/240/commits/b72b283b936a600c730e00875d7d067bded3fc26 <https://github.com/libass/libass/pull/240/commits/b72b283b936a600c730e00875d7d067bded3fc26>). One is coeff_blur121() (https://github.com/libass/libass/pull/240/commits/08e754612019ed84d1db0d1fc4f5798248decd75 <https://github.com/libass/libass/pull/240/commits/08e754612019ed84d1db0d1fc4f5798248decd75>). The third is a huge memory allocation leading to a crash that wasn’t fixed because a good solution is unavailable at the moment. The fourth is in check_allocations() (https://github.com/libass/libass/pull/240/commits/aa54e0b59200a994d50a346b5d7ac818ebcf2d4b <https://github.com/libass/libass/pull/240/commits/aa54e0b59200a994d50a346b5d7ac818ebcf2d4b>). These should be fixed in the 0.13.4 release, but are fixed currently on master. Thanks to the libass team for the quick turnaround. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
commit 442752b75dce0d135e2039b7e3d0eb231f95752f Author: Alexis Ballier <aballier@gentoo.org> Date: Mon Oct 10 12:21:52 2016 +0200 media-libs/libass: bump to 0.13.4, bug #596422 should be ok for stabilization
@ Maintainer(s): We missed comment #1. Newer versions are now in repository, can we stabilize =media-libs/libass-0.13.6 instead?
@ Arches, please test and mark stable: =media-libs/libass-0.13.6
amd64 stable
x86 stable
ppc64 stable
Stable for HPPA.
Stable on alpha.
ppc stable
sparc stable
ia64 stable
arm stable, all arches done.
GLSA request filed
This issue was resolved and addressed in GLSA 201702-25 at https://security.gentoo.org/glsa/201702-25 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup. @ Maintainer(s): Please cleanup and drop <media-libs/libass-0.13.4!
Maintainer(s), please drop the vulnerable version(s).
They're now gone from the tree.
@ Maintainer(s): Thank you for your work!