Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 662172 (CVE-2018-14449, CVE-2018-14450, CVE-2018-14451, CVE-2018-14452, CVE-2018-14453, CVE-2018-14454, CVE-2018-14455, CVE-2018-14456, CVE-2018-14457, CVE-2018-14458, CVE-2018-14459) - media-libs/libgig: Multiple vulnerabilities
Summary: media-libs/libgig: Multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2018-14449, CVE-2018-14450, CVE-2018-14451, CVE-2018-14452, CVE-2018-14453, CVE-2018-14454, CVE-2018-14455, CVE-2018-14456, CVE-2018-14457, CVE-2018-14458, CVE-2018-14459
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa upstream? cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-26 08:15 UTC by GLSAMaker/CVETool Bot
Modified: 2021-04-29 11:07 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-07-26 08:15:04 UTC
CVE-2018-14459 (https://nvd.nist.gov/vuln/detail/CVE-2018-14459):
  An issue was discovered in libgig 4.1.0. There is an out-of-bounds write in
  pData[0] access in the function store16 in helper.h.

CVE-2018-14458 (https://nvd.nist.gov/vuln/detail/CVE-2018-14458):
  An issue was discovered in libgig 4.1.0. There is a heap-based buffer
  overflow in pData[1] access in the function store32 in helper.h.

CVE-2018-14457 (https://nvd.nist.gov/vuln/detail/CVE-2018-14457):
  An issue was discovered in libgig 4.1.0. There is an out-of-bounds write in
  the function DLS::Info::UpdateChunks in DLS.cpp.

CVE-2018-14456 (https://nvd.nist.gov/vuln/detail/CVE-2018-14456):
  An issue was discovered in libgig 4.1.0. There is an out-of-bounds write in
  the function DLS::Info::SaveString in DLS.cpp.

CVE-2018-14455 (https://nvd.nist.gov/vuln/detail/CVE-2018-14455):
  An issue was discovered in libgig 4.1.0. There is an out-of-bounds write in
  pData[0] access in the function store32 in helper.h.

CVE-2018-14454 (https://nvd.nist.gov/vuln/detail/CVE-2018-14454):
  An issue was discovered in libgig 4.1.0. There is an out-of-bounds read in
  the function RIFF::Chunk::Read in RIFF.cpp.

CVE-2018-14453 (https://nvd.nist.gov/vuln/detail/CVE-2018-14453):
  An issue was discovered in libgig 4.1.0. There is a heap-based buffer
  overflow in pData[1] access in the function store16 in helper.h.

CVE-2018-14452 (https://nvd.nist.gov/vuln/detail/CVE-2018-14452):
  An issue was discovered in libgig 4.1.0. There is an out-of-bounds read in
  the "always assign the sample of the first dimension region of this region"
  feature of the function gig::Region::UpdateChunks in gig.cpp.

CVE-2018-14451 (https://nvd.nist.gov/vuln/detail/CVE-2018-14451):
  An issue was discovered in libgig 4.1.0. There is a heap-based buffer
  overflow in the function RIFF::Chunk::Read in RIFF.cpp.

CVE-2018-14450 (https://nvd.nist.gov/vuln/detail/CVE-2018-14450):
  An issue was discovered in libgig 4.1.0. There is an out-of-bounds read in
  the "update dimension region's chunks" feature of the function
  gig::Region::UpdateChunks in gig.cpp.

CVE-2018-14449 (https://nvd.nist.gov/vuln/detail/CVE-2018-14449):
  An issue was discovered in libgig 4.1.0. There is an out of bounds read in
  gig::File::UpdateChunks in gig.cpp.


@Maintainers maybe 4.0.0 is affected. Take adequate precautions for the bump.

Thank you,
Comment 1 Larry the Git Cow gentoo-dev 2019-11-13 13:39:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf2cfb75862240ca1e73b980ac7f85bcd36df5c6

commit bf2cfb75862240ca1e73b980ac7f85bcd36df5c6
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2019-11-13 13:38:32 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2019-11-13 13:39:06 +0000

    media-libs/libgig-4.2.0: bump
    
    Bug: https://bugs.gentoo.org/662172
    Package-Manager: Portage-2.3.79, Repoman-2.3.18
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 media-libs/libgig/Manifest            |  1 +
 media-libs/libgig/libgig-4.2.0.ebuild | 37 +++++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2019-11-13 13:45:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2350518cb0db6a5a314e079d00f025fbee910fed

commit 2350518cb0db6a5a314e079d00f025fbee910fed
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2019-11-13 13:44:45 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2019-11-13 13:45:09 +0000

    media-libs/libgig-4.1.0: removed vulnerable (bug #662172)
    
    no stable dependants so dropping to unstable
    
    Bug: https://bugs.gentoo.org/662172
    Package-Manager: Portage-2.3.79, Repoman-2.3.18
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 media-libs/libgig/Manifest            |  1 -
 media-libs/libgig/libgig-4.1.0.ebuild | 37 -----------------------------------
 2 files changed, 38 deletions(-)
Comment 3 Miroslav Šulc gentoo-dev 2019-11-13 13:46:41 UTC
removed vulnerable so now we have only 4.2.0. dropped to unstable as there are no stable dependants. can be proceeded.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-20 01:46:30 UTC
Not clear if fixed in 4.2.0: https://svn.linuxsampler.org/cgi-bin/viewvc.cgi/libgig/trunk/ChangeLog
Comment 5 Miroslav Šulc gentoo-dev 2021-04-29 06:55:11 UTC
i did not test all of the issues but those i tested still exist in 4.2.0
Comment 6 Miroslav Šulc gentoo-dev 2021-04-29 11:07:22 UTC
i contacted Christian Schoenebeck from the LinuxSampler team about the situation and here is his answer:

"Yes, and there are more unresolved ones:

https://bugs.linuxsampler.org/cgi-bin/buglist.cgi?
f1=longdesc&f2=short_desc&j_top=OR&o1=anywordssubstr&o2=anywordssubstr&product=libgig&query_format=advanced&resolution=---
&resolution=INVALID&resolution=WONTFIX&resolution=LATER&resolution=REMIND&resolution=WORKSFORME&v1=CVE%2Ccrash%2Cfuzz%2Csecurity%2Coverflow%2Csegfault%2Csegmentation%2CSEGV&v2=CVE%2Ccrash%2Cfuzz%2Csecurity%2Coverflow%2Csegfault%2Csegmentation%2CSEGV

I had a discussion about libgig CVEs in general with Markus from Debian a year 
ago, so I'm putting him on CC for that reason.

To put things into perspective: I'm also an upstream submaintainer of the QEMU 
project where I handle CVEs and in fact any single line change in QEMU with 
huge care due to QEMU's sensibility.

The situation with libgig is different though. To make it short: there are a 
large number of potential security vulnerabilities in libgig, yes, but please 
don't expect from my side that I'm going to fix every one of those by just 
receiving reports.

The unpleasant truth is that libgig is currently not designed/maintained to be 
used on untrusted (.gig, .dls, .sf2, .kmp, .ksf) files. Which actually applies 
to many other music/audio related software libs and apps as well. It is simply 
not the typical use case of these types of software to deal safely with 
explicitly manipulated, malicious files.

I know that response is unsatisfying for you, but I received so many auto 
generated bug reports (mostly of automated fuzzing tests), and I am the only 
person working on this library for many years, so I decided a while ago to 
only process those LS/libgig CVE reports which also either a) provide a 
potential patch for the respective libgig CVE, or b) if the respective issue 
may also be triggered by users with "trusted" files (i.e. certain edge cases) 
as well.

If you have viable suggestions how the situation could be improved in future, 
then I'm of course open for discussions on this."