CVE-2017-9128 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9128): The quicktime_video_width function in lqt_quicktime.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted mp4 file. CVE-2017-9127 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9127): The quicktime_user_atoms_read_atom function in useratoms.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) via a crafted mp4 file. CVE-2017-9126 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9126): The quicktime_read_dref_table function in dref.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) via a crafted mp4 file. CVE-2017-9125 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9125): The lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted mp4 file. CVE-2017-9124 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9124): The quicktime_match_32 function in util.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted mp4 file. CVE-2017-9123 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9123): The lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted mp4 file. CVE-2017-9122 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9122): The quicktime_read_moov function in moov.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted mp4 file. @Maintainers could you please confirm if we are affected by any of these vulnerabilities? Thank you
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8d9d005d305c0d4a8232649e3ec93535c1bacca commit c8d9d005d305c0d4a8232649e3ec93535c1bacca Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2018-09-18 14:54:25 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2018-09-18 15:07:45 +0000 media-libs/libquicktime: Fix CVE-2017-9122..9128 Bug: https://bugs.gentoo.org/634806 Package-Manager: Portage-2.3.49, Repoman-2.3.10 .../libquicktime-1.2.4-CVE-2017-9122_et_al.patch | 151 +++++++++++++++++++++ .../libquicktime/libquicktime-1.2.4-r3.ebuild | 1 + 2 files changed, 152 insertions(+)
This patch supposedly also fixes bug 626862, according to SUSE who took no further action: https://bugzilla.suse.com/show_bug.cgi?id=1051855
An automated check of this bug failed - repoman reported dependency errors (71 lines truncated): > dependency.bad media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild: DEPEND: ia64(default/linux/ia64/17.0) ['>=media-video/libav-12:0=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]'] > dependency.bad media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild: RDEPEND: ia64(default/linux/ia64/17.0) ['>=media-video/libav-12:0=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]'] > dependency.bad media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild: DEPEND: ia64(default/linux/ia64/17.0/desktop) ['>=media-video/libav-12:0=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
sigh... why is that libav bug broken...
x86 stable
amd64 stable
Stable on alpha.
ppc64 stable
Adding remaining arches.
ia64 stable
ppc stable
sparc stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b9e63a9d14b162ee15c36f94a88453dd73ac2ba commit 0b9e63a9d14b162ee15c36f94a88453dd73ac2ba Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2018-11-08 23:03:54 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2018-11-08 23:03:54 +0000 media-libs/libquicktime: Security cleanup Bug: https://bugs.gentoo.org/634806 Package-Manager: Portage-2.3.51, Repoman-2.3.12 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> .../libquicktime/libquicktime-1.2.4-r2.ebuild | 132 --------------------- 1 file changed, 132 deletions(-)