Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 596422 (CVE-2016-7969, CVE-2016-7970, CVE-2016-7971, CVE-2016-7972) - <media-libs/libass-0.13.6: multiple vulnerabilities (CVE-2016-{7969,7970,7971,7972})
Summary: <media-libs/libass-0.13.6: multiple vulnerabilities (CVE-2016-{7969,7970,7971...
Status: RESOLVED FIXED
Alias: CVE-2016-7969, CVE-2016-7970, CVE-2016-7971, CVE-2016-7972
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-07 10:21 UTC by Agostino Sarubbo
Modified: 2017-06-05 21:39 UTC (History)
1 user (show)

See Also:
Package list:
=media-libs/libass-0.13.6
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-10-07 10:21:11 UTC
From ${URL} :

The open source libass library is used to read and render subtitles onto images or frames of a movie. It is a popular library used in a few well-known media players. It seems it is usually shipped statically? Not sure.

https://github.com/libass/libass <https://github.com/libass/libass>

Attached are 4 test cases and their asan/valgrind results tested against version 0.13.3. 

One is in wrap_lines_smart() (https://github.com/libass/libass/pull/240/commits/b72b283b936a600c730e00875d7d067bded3fc26 <https://github.com/libass/libass/pull/240/commits/b72b283b936a600c730e00875d7d067bded3fc26>).

One is coeff_blur121() (https://github.com/libass/libass/pull/240/commits/08e754612019ed84d1db0d1fc4f5798248decd75 <https://github.com/libass/libass/pull/240/commits/08e754612019ed84d1db0d1fc4f5798248decd75>).

The third is a huge memory allocation leading to a crash that wasn’t fixed because a good solution is unavailable at the moment.

The fourth is in check_allocations() (https://github.com/libass/libass/pull/240/commits/aa54e0b59200a994d50a346b5d7ac818ebcf2d4b <https://github.com/libass/libass/pull/240/commits/aa54e0b59200a994d50a346b5d7ac818ebcf2d4b>).

These should be fixed in the 0.13.4 release, but are fixed currently on master. Thanks to the libass team for the quick turnaround. 



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alexis Ballier gentoo-dev 2016-10-10 10:22:20 UTC
commit 442752b75dce0d135e2039b7e3d0eb231f95752f
Author: Alexis Ballier <aballier@gentoo.org>
Date:   Mon Oct 10 12:21:52 2016 +0200

    media-libs/libass: bump to 0.13.4, bug #596422
    


should be ok for stabilization
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-01-09 23:41:38 UTC
@ Maintainer(s): We missed comment #1. Newer versions are now in repository, can we stabilize =media-libs/libass-0.13.6 instead?
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-01-19 23:04:16 UTC
@ Arches,

please test and mark stable: =media-libs/libass-0.13.6
Comment 4 Agostino Sarubbo gentoo-dev 2017-01-20 09:27:21 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-20 09:47:58 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-20 11:08:02 UTC
ppc64 stable
Comment 7 Jeroen Roovers gentoo-dev 2017-01-21 11:38:47 UTC
Stable for HPPA.
Comment 8 Tobias Klausmann gentoo-dev 2017-01-21 11:44:21 UTC
Stable on alpha.
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-21 20:33:54 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-01-22 16:28:52 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-23 16:28:06 UTC
ia64 stable
Comment 12 Markus Meier gentoo-dev 2017-02-05 16:59:58 UTC
arm stable, all arches done.
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-02-05 23:35:45 UTC
GLSA request filed
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-02-21 00:02:11 UTC
This issue was resolved and addressed in
 GLSA 201702-25 at https://security.gentoo.org/glsa/201702-25
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 15 Thomas Deutschmann gentoo-dev Security 2017-02-21 00:03:27 UTC
Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop <media-libs/libass-0.13.4!
Comment 16 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-26 23:54:12 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 17 Tim Harder gentoo-dev 2017-06-05 21:26:38 UTC
They're now gone from the tree.
Comment 18 Thomas Deutschmann gentoo-dev Security 2017-06-05 21:39:25 UTC
@ Maintainer(s): Thank you for your work!