603092 – <media-libs/game-music-emu-0.6.1: Multiple issues due to incorrect emulation of the SPC700 audio co-processor of SNES

Bug 603092 - <media-libs/game-music-emu-0.6.1: Multiple issues due to incorrect emulation of the SPC700 audio co-processor of SNES

Summary: <media-libs/game-music-emu-0.6.1: Multiple issues due to incorrect emulation ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B2 [glsa cve]
Keywords:

Duplicates (1):	611040 (view as bug list)
Depends on:
Blocks:	CVE-2016-9957, CVE-2016-9958, CVE-2016-9959, CVE-2016-9960, CVE-2016-9961
	Show dependency tree

Reported:	2016-12-19 13:38 UTC by Agostino Sarubbo
Modified:	2017-07-08 12:32 UTC (History)
CC List:	2 users (show)

See Also:	618346
Package list:	=media-libs/game-music-emu-0.6.1
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2016-12-19 13:38:07 UTC

From ${URL} :

Incorrect emulation of the SPC700 audio co-processor of the Super
Nintendo Entertainment System allows the execution of arbitrary code
if a malformed SPC music file is opened.

References:

http://scarybeastsecurity.blogspot.cz/2016/12/redux-compromising-linux-using-snes.html
http://seclists.org/oss-sec/2016/q4/682

CVE assignments:

http://seclists.org/oss-sec/2016/q4/692


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-09 00:04:07 UTC

@ Maintainer(s): Please bump to >=media-libs/game-music-emu-0.6.1

Comment 2 Alexis Ballier gentoo-dev

2017-02-27 09:36:32 UTC

*** Bug 611040 has been marked as a duplicate of this bug. ***

Comment 3 Alexis Ballier gentoo-dev

2017-02-27 09:39:23 UTC

commit 146d393d3bea760ce75f424897db6798310eed2b
Author: Alexis Ballier <aballier@gentoo.org>
Date:   Mon Feb 27 10:38:45 2017 +0100

    media-libs/game-music-emu: Bump to 0.6.1, bug #603092


I think it can go stable

Comment 4 Tobias Klausmann (RETIRED) gentoo-dev

2017-02-28 11:24:31 UTC

Stable on alpha.

Comment 5 Markus Meier gentoo-dev

2017-02-28 17:30:54 UTC

arm stable

Comment 6 Agostino Sarubbo gentoo-dev

2017-03-02 10:30:42 UTC

amd64 stable

Comment 7 Agostino Sarubbo gentoo-dev

2017-03-02 10:48:18 UTC

x86 stable

Comment 8 Jeroen Roovers (RETIRED) gentoo-dev

2017-03-05 12:35:43 UTC

Stable for HPPA PPC64.

Comment 9 Michael Weber (RETIRED) gentoo-dev

2017-03-08 22:12:53 UTC

ppc stable, last arch.

Comment 10 Yury German Gentoo Infrastructure

2017-03-24 05:27:07 UTC

Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).

Comment 11 Yury German Gentoo Infrastructure

2017-04-11 05:41:42 UTC

Maintainer(s), please drop the vulnerable version(s).

Comment 12 Yury German Gentoo Infrastructure

2017-04-30 12:33:18 UTC

Maintainer(s), please drop the vulnerable version(s).

Comment 13 Yury German Gentoo Infrastructure

2017-05-27 01:04:10 UTC

Arches and Maintainer(s), Thank you for your work.

Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-03 14:51:30 UTC

Freeing aliases for tracker bug usage.

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2017-07-08 12:32:37 UTC

This issue was resolved and addressed in
 GLSA 201707-02 at https://security.gentoo.org/glsa/201707-02
by GLSA coordinator Thomas Deutschmann (whissi).