Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 605894 (CVE-2017-0381) - <media-libs/opus-{1.1.3-r1,1.2_alpha}: Memory corruption during media file and data processing (CVE-2017-0381)
Summary: <media-libs/opus-{1.1.3-r1,1.2_alpha}: Memory corruption during media file an...
Status: RESOLVED FIXED
Alias: CVE-2017-0381
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-16 14:04 UTC by Agostino Sarubbo
Modified: 2017-07-16 01:23 UTC (History)
1 user (show)

See Also:
Package list:
=media-libs/opus-1.1.3-r1
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-01-16 14:04:47 UTC 
From ${URL} :

A remote code execution vulnerability in silk/NLSF_stabilize.c in libopus could enable an attacker using a specially crafted file to cause memory 
corruption during media file and data processing.

Upstream patch:

https://github.com/xiph/opus/commit/79e8f527b0344b0897a65be35e77f7885bd99409

References:

https://source.android.com/security/bulletin/2017-01-01.html


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 David Seifert gentoo-dev 2017-01-20 18:57:41 UTC 
@sec, you can proceed with stabilising opus-1.1.3-r1

commit fedc905f2f73265c4108e2a4b359846d10dee66d
Author: David Seifert <soap@gentoo.org>
Date:   Fri Jan 20 19:53:40 2017 +0100

    media-libs/opus: Add patch for CVE-2017-0381
    
    Gentoo-bug: 605894
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-20 19:01:13 UTC 
@ Arches,

please test and mark stable: =media-libs/opus-1.1.3-r1
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-21 11:44:12 UTC 
Stable on alpha.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-21 14:10:44 UTC 
Stable for HPPA PPC64.
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-21 17:17:02 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-21 17:27:49 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-01-21 20:34:43 UTC 
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-22 16:30:39 UTC 
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-23 16:28:52 UTC 
ia64 stable
Comment 10 Markus Meier gentoo-dev 2017-02-15 18:18:37 UTC 
arm stable, all arches done.
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-16 12:11:14 UTC 
New GLSA request filed.

@ Maintainer(s): Please cleanup and drop <media-libs/opus-1.1.3-r1!
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-02-20 23:58:34 UTC 
This issue was resolved and addressed in
 GLSA 201702-21 at https://security.gentoo.org/glsa/201702-21
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-20 23:59:27 UTC 
Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop <media-libs/opus-1.1.3-r1!
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2017-07-16 01:23:42 UTC 
tree is clean.