Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 634598 (CVE-2017-15045, CVE-2017-15046) - <media-sound/lame-3.100: malformed mp3 input causes buffer overflow and heap over-read (CVE-2017-{15045,15046})
Summary: <media-sound/lame-3.100: malformed mp3 input causes buffer overflow and heap ...
Status: RESOLVED FIXED
Alias: CVE-2017-15045, CVE-2017-15046
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.opensuse.org/show_bu...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 635014
Blocks: 622936 635380
  Show dependency tree
 
Reported: 2017-10-18 01:23 UTC by Aleksandr Wagner (Kivak)
Modified: 2018-03-23 23:56 UTC (History)
4 users (show)

See Also:
Package list:
=media-sound/lame-3.100-r1
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-10-18 01:23:12 UTC
CVE-2017-15045 (https://nvd.nist.gov/vuln/detail/CVE-2017-15045):

LAME 3.99.5 has a heap-based buffer over-read in fill_buffer in libmp3lame/util.c, related to lame_encode_buffer_sample_t in libmp3lame/lame.c, a different vulnerability than CVE-2017-9410.

References:

https://sourceforge.net/p/lame/bugs/478/

CVE-2017-15046 (https://nvd.nist.gov/vuln/detail/CVE-2017-15046):

LAME 3.99.5 has a stack-based buffer overflow in unpack_read_samples in frontend/get_audio.c, a different vulnerability than CVE-2017-9412.

References:

https://sourceforge.net/p/lame/bugs/479/
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2017-10-18 06:28:39 UTC
commit cac3017eed6bec4140ba2dec99d67365bb1da66f (HEAD -> master, origin/master, origin/HEAD)
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed Oct 18 08:26:42 2017

    media-sound/lame: Security bump to version 3.100 (bug #634598).

    Package-Manager: Portage-2.3.11, Repoman-2.3.3


I'd prefer to give this version some testing in ~arch first given that this is the first new release in years from that project...
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2017-10-25 07:19:41 UTC
Arches please test and mark stable =media-sound/lame-3.100 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris
Comment 3 Agostino Sarubbo gentoo-dev 2017-10-25 09:32:09 UTC
amd64 stable
Comment 4 Thomas Deutschmann gentoo-dev 2017-10-26 17:38:54 UTC
x86 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-26 19:13:26 UTC
hppa stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-26 21:33:04 UTC
ia64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-26 21:47:50 UTC
ppc stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-28 22:23:02 UTC
ppc64 stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2017-11-08 12:52:55 UTC
Stable on alpha.
Comment 10 Aleksandr Wagner (Kivak) 2017-11-08 17:20:12 UTC
@ Maintainer(s): Stabilization is complete, please clean the vulnerable
versions from the tree.
Comment 11 Markus Meier gentoo-dev 2017-11-19 15:09:49 UTC
arm stable
Comment 12 Rolf Eike Beer archtester 2017-11-23 16:57:25 UTC
Builds fine on sparc, but how to test?
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-15 16:08:17 UTC
sparc is an unstable arch.

@sound, please clean or mask the vulnerable version.
Comment 14 Rolf Eike Beer archtester 2018-01-15 16:55:09 UTC
I have no sound hw in my sparc, the day I know how to sanely test this without I can mark it stable.
Comment 15 Mart Raudsepp gentoo-dev 2018-03-15 03:02:24 UTC
lame is an encoder, not decoder. So I guess you can just convert a wav into mp3 with lame on sparc and then grab that mp3 and see if playback of that file is good enough on a sound capable system or something.
Comment 16 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-15 21:40:39 UTC
GLSA Vote: No.

@Maintainers please clean vulnerable versions.

(In reply to Rolf Eike Beer from comment #14)
> I have no sound hw in my sparc, the day I know how to sanely test this
> without I can mark it stable.

Rolf, hopefully with Mart's comment (#15) you'll be able to test lame, but security supported arches are done since 2017-11, we need to move on with this report.
Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-17 13:16:20 UTC
sparc stable
Comment 18 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-03-23 23:56:04 UTC
tree is clean.