Details at $URL. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2017-7605 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7605): aacplusenc.c in HE-AAC+ Codec (aka libaacplus) 2.0.2 has an assertion failure, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file. CVE-2017-7604 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7604): au_channel.h in HE-AAC+ Codec (aka libaacplus) 2.0.2 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file. CVE-2017-7603 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7603): au_channel.h in HE-AAC+ Codec (aka libaacplus) 2.0.2 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file.
[23:53:20] <ajak> wrt to bug 618000, can we just remove libaacplus? looks like its only revdep is media-sound/darkice[aacplus] (and nothing requires that use flag afaict), also doesn't look like libaacplus is shipped in many other repos either according to repology [23:53:55] <sam_c> it's also very dead upstream if I recall? [23:55:07] <ajak> yeah looks like the website was last touched 2011, very dead [23:57:12] <sam_c> this seems reasonable to me CCing treecleaners. Maybe we'll do it though.
Ping treecleaners
so we just mask for removal and on cleaning we remove the use flag from darkice?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=747727dddf91a920f7c80b8c1feef4029733a1cd commit 747727dddf91a920f7c80b8c1feef4029733a1cd Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-08-15 01:30:10 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-15 01:52:01 +0000 profiles: last rite libaacplus Bug: https://bugs.gentoo.org/618000 Signed-off-by: John Helmert III <ajak@gentoo.org> profiles/base/package.use.mask | 4 ++++ profiles/package.mask | 5 +++++ 2 files changed, 9 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a7f689b24777e533cf0d7cc0c5f60998d8fee86 commit 8a7f689b24777e533cf0d7cc0c5f60998d8fee86 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-09-18 21:16:09 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-18 21:16:09 +0000 media-libs/libaacplus: treeclean Bug: https://bugs.gentoo.org/618000 Signed-off-by: John Helmert III <ajak@gentoo.org> media-libs/libaacplus/Manifest | 2 - ...ibaacplus-2.0.2-clang-inline-redefinition.patch | 37 ------------ media-libs/libaacplus/libaacplus-2.0.2-r3.ebuild | 66 ---------------------- media-libs/libaacplus/metadata.xml | 8 --- profiles/package.mask | 5 -- 5 files changed, 118 deletions(-)
GLSA request filed
GLSA released, all done!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=ab12ce78f7bdd5c54c12a4ca2753f5a396b88351 commit ab12ce78f7bdd5c54c12a4ca2753f5a396b88351 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-25 13:35:43 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-25 13:42:21 +0000 [ GLSA 202209-13 ] libaacplus: Denial of Service Bug: https://bugs.gentoo.org/618000 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-13.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)