Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 673742 (CVE-2018-20430, CVE-2018-20431) - <media-libs/libextractor-1.8-r1: multiple vulnerabilities
Summary: <media-libs/libextractor-1.8-r1: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2018-20430, CVE-2018-20431
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: 674968
  Show dependency tree
 
Reported: 2018-12-26 06:51 UTC by Melissa Mcdonald
Modified: 2019-01-14 15:59 UTC (History)
2 users (show)

See Also:
Package list:
media-libs/libextractor-1.8-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Melissa Mcdonald 2018-12-26 06:51:30 UTC
GNU Libextractor is prone to multiple security vulnerabilities.
https://gnunet.org/bugs/view.php?id=5494
https://gnunet.org/bugs/view.php?id=5493

1. A remote denial-of-service vulnerability
2. An out-of-bound read access vulnerability

Attackers can exploit these issues to crash the application denying service to legitimate users or disclose sensitive information that may aid in further attacks.
Comment 1 Andreas Sturmlechner gentoo-dev 2018-12-26 09:44:56 UTC
Apparently fixed in upstream 1.9.
Comment 2 Larry the Git Cow gentoo-dev 2018-12-29 22:02:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=10ca5198d87e67194880e4421dc4a3d348211008

commit 10ca5198d87e67194880e4421dc4a3d348211008
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-12-29 20:21:07 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-12-29 22:02:01 +0000

    media-libs/libextractor: Fix CVE-2018-20430, CVE-2018-20431
    
    Bug: https://bugs.gentoo.org/673742
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../files/libextractor-1.8-CVE-2018-20430.patch    |  49 +++++++++
 .../files/libextractor-1.8-CVE-2018-20431.patch    |  39 +++++++
 media-libs/libextractor/libextractor-1.8-r1.ebuild | 117 +++++++++++++++++++++
 3 files changed, 205 insertions(+)
Comment 3 Andreas Sturmlechner gentoo-dev 2018-12-30 00:08:40 UTC
Arches, please stabilise.
Comment 4 ernsteiswuerfel archtester 2018-12-30 20:18:44 UTC
Looking good on ppc/ppc64.

# cat /mnt/mychroot/root/tatt/libextractor-673742.report 
USE tests started on So 30. Dez 15:32:37 CET 2018

FEATURES=' test' USE='' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 -ffmpeg -flac gif -gsf -gstreamer -gtk jpeg -magic midi mp4 mpeg -tidy tiff -vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='-archive bzip2 ffmpeg -flac -gif -gsf -gstreamer gtk jpeg -magic -midi mp4 -mpeg -tidy tiff vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive -bzip2 -ffmpeg -flac -gif -gsf -gstreamer gtk jpeg -magic -midi -mp4 mpeg -tidy tiff vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='-archive -bzip2 -ffmpeg -flac -gif -gsf gstreamer -gtk jpeg -magic -midi mp4 -mpeg tidy tiff vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive -bzip2 ffmpeg flac -gif -gsf gstreamer gtk -jpeg -magic -midi mp4 -mpeg -tidy -tiff -vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg flac gif -gsf -gstreamer -gtk -jpeg -magic midi -mp4 mpeg tidy -tiff -vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg flac -gif gsf gstreamer gtk jpeg magic midi mp4 mpeg tidy -tiff -vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg -flac gif -gsf -gstreamer gtk -jpeg magic midi mp4 -mpeg tidy -tiff vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 -ffmpeg -flac gif gsf -gstreamer gtk -jpeg magic midi mp4 -mpeg tidy -tiff vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 -ffmpeg -flac -gif gsf gstreamer -gtk jpeg -magic midi -mp4 mpeg -tidy tiff vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='-archive -bzip2 -ffmpeg flac -gif -gsf -gstreamer -gtk jpeg -magic -midi mp4 mpeg -tidy tiff vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive -bzip2 ffmpeg flac gif -gsf gstreamer -gtk jpeg -magic midi mp4 mpeg tidy tiff vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1

revdep tests started on So 30. Dez 16:30:41 CET 2018

FEATURES=' test' USE='' succeeded for dev-python/libextractor-python

# cat libextractor-673742.report 
USE tests started on So 30. Dez 20:56:08 CET 2018

FEATURES=' test' USE='' succeeded for =media-libs/libextractor-1.8-r1
USE='archive -bzip2 ffmpeg flac -gif gsf gstreamer gtk -jpeg -magic -midi -mp4 mpeg -tidy -tiff -vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg flac gif gsf gstreamer -gtk -jpeg -magic -midi mp4 -mpeg tidy -tiff -vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg -flac -gif gsf -gstreamer -gtk -jpeg -magic -midi -mp4 mpeg -tidy tiff -vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='-archive -bzip2 -ffmpeg flac -gif gsf -gstreamer -gtk -jpeg -magic midi -mp4 mpeg -tidy tiff -vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg -flac gif gsf -gstreamer -gtk -jpeg -magic midi mp4 mpeg -tidy tiff -vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg -flac -gif gsf -gstreamer -gtk -jpeg magic midi -mp4 -mpeg -tidy -tiff vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='-archive bzip2 ffmpeg -flac -gif -gsf gstreamer gtk jpeg -magic midi mp4 mpeg tidy -tiff vorbis -zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='-archive -bzip2 ffmpeg -flac -gif -gsf -gstreamer gtk jpeg magic -midi mp4 -mpeg tidy -tiff -vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg flac gif -gsf gstreamer -gtk jpeg magic midi mp4 mpeg -tidy tiff -vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='-archive -bzip2 ffmpeg -flac gif -gsf gstreamer gtk -jpeg magic -midi -mp4 -mpeg tidy tiff -vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='-archive -bzip2 ffmpeg flac gif gsf -gstreamer gtk jpeg magic -midi mp4 mpeg -tidy -tiff vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1
USE='archive bzip2 ffmpeg flac -gif -gsf -gstreamer gtk -jpeg -magic midi -mp4 -mpeg -tidy tiff vorbis zlib' succeeded for =media-libs/libextractor-1.8-r1

revdep tests started on So 30. Dez 21:15:47 CET 2018

FEATURES=' test' USE='' succeeded for dev-python/libextractor-python
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:19:36 UTC
ppc stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:21:41 UTC
ppc64 stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2019-01-09 01:36:52 UTC
x86 stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-01-14 15:59:46 UTC
amd64 stable