Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 667510 (CVE-2017-17054, CVE-2018-14521, CVE-2018-14522, CVE-2018-14523) - <media-libs/aubio-0.4.7: Multiple vulnerabilities
Summary: <media-libs/aubio-0.4.7: Multiple vulnerabilities
Alias: CVE-2017-17054, CVE-2018-14521, CVE-2018-14522, CVE-2018-14523
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Blocks: CVE-2017-17554
  Show dependency tree
Reported: 2018-10-01 20:20 UTC by Andreas Sturmlechner
Modified: 2018-11-24 23:45 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Sturmlechner gentoo-dev 2018-10-01 20:20:30 UTC
Published 2017-11-29T02:29:00.257000
In aubio 0.4.6, a divide-by-zero error exists in the function new_aubio_source_wavread() in source_wavread.c, which may lead to DoS when playing a crafted audio file.

Published 2018-07-23T04:29:00.467000
An issue was discovered in aubio 0.4.6. A SEGV signal can occur in aubio_source_avcodec_readframe in io/source_avcodec.c, as demonstrated by aubiomfcc.

Published 2018-07-23T04:29:00.513000
An issue was discovered in aubio 0.4.6. A SEGV signal can occur in aubio_pitch_set_unit in pitch/pitch.c, as demonstrated by aubionotes.

Published 2018-07-23T04:29:00.560000
An issue was discovered in aubio 0.4.6. A buffer over-read can occur in new_aubio_pitchyinfft in pitch/pitchyinfft.c, as demonstrated by aubionotes.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-10-01 22:43:30 UTC
x86 stable
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-10-04 09:00:38 UTC
amd64 stable
Comment 3 Rolf Eike Beer 2018-10-04 21:07:51 UTC
sparc done.
Comment 4 Matt Turner gentoo-dev 2018-10-06 16:19:43 UTC
ppc64 stable.

all arches stable
Comment 5 Larry the Git Cow gentoo-dev 2018-10-06 19:45:34 UTC
The bug has been referenced in the following commit(s):

commit 640bb6cccb3c071724ae448942c4e37e9d6821f0
Author:     Andreas Sturmlechner <>
AuthorDate: 2018-10-06 19:33:01 +0000
Commit:     Andreas Sturmlechner <>
CommitDate: 2018-10-06 19:45:14 +0000

    media-libs/aubio: Security cleanup
    Signed-off-by: Andreas Sturmlechner <>
    Package-Manager: Portage-2.3.50, Repoman-2.3.11

 media-libs/aubio/Manifest                         |   3 -
 media-libs/aubio/aubio-0.4.1-r1.ebuild            | 104 --------------------
 media-libs/aubio/aubio-0.4.2-r1.ebuild            | 105 --------------------
 media-libs/aubio/aubio-0.4.6.ebuild               | 111 ----------------------
 media-libs/aubio/files/aubio-0.4.1-ffmpeg29.patch |  22 -----
 media-libs/aubio/files/aubio-0.4.6-ffmpeg4.patch  |  13 ---
 6 files changed, 358 deletions(-)
Comment 6 Andreas Sturmlechner gentoo-dev 2018-10-28 13:11:52 UTC
proaudio is done here, anyway...