Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711210 (CVE-2019-14465, CVE-2019-14523, CVE-2019-14524) - <media-sound/schismtracker-20190805: Multiple vulnerabilities (CVE-2019-{14465,14523,14524})
Summary: <media-sound/schismtracker-20190805: Multiple vulnerabilities (CVE-2019-{1446...
Status: RESOLVED FIXED
Alias: CVE-2019-14465, CVE-2019-14523, CVE-2019-14524
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/schismtracker/schi...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-01 19:30 UTC by Sam James
Modified: 2021-07-07 08:05 UTC (History)
2 users (show)

See Also:
Package list:
media-sound/schismtracker-20210525
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-01 19:30:52 UTC
Description:
"An issue was discovered in Schism Tracker through 20190722. There is an integer underflow via a large plen in fmt_okt_load_song in the Amiga Oktalyzer parser in fmt/okt.c."

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-14523
Affects:
< 20190722

Fixed release: https://github.com/schismtracker/schismtracker/releases/tag/20190805
Patch: https://github.com/schismtracker/schismtracker/commit/c8986a876959a9d282e882d782af351a86e4034c
Comment 1 Sam James archtester gentoo-dev Security 2020-03-02 14:49:58 UTC
2) CVE-2019-14465

Description: 
"fmt_mtm_load_song in fmt/mtm.c in Schism Tracker 20190722 has a heap-based buffer overflow."

Bug: https://github.com/schismtracker/schismtracker/issues/198
Fixed release, as above: https://github.com/schismtracker/schismtracker/releases/tag/20190805
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2020-04-21 23:06:27 UTC
CVE-2019-14524 (https://nvd.nist.gov/vuln/detail/CVE-2019-14524):
  An issue was discovered in Schism Tracker through 20190722. There is a
  heap-based buffer overflow via a large number of song patterns in
  fmt_mtm_load_song in fmt/mtm.c, a different vulnerability than
  CVE-2019-14465.

CVE-2019-14523 (https://nvd.nist.gov/vuln/detail/CVE-2019-14523):
  An issue was discovered in Schism Tracker through 20190722. There is an
  integer underflow via a large plen in fmt_okt_load_song in the Amiga
  Oktalyzer parser in fmt/okt.c.
Comment 3 Sam James archtester gentoo-dev Security 2020-06-20 02:00:23 UTC
ping
Comment 4 Larry the Git Cow gentoo-dev 2021-04-29 07:28:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c134ef752894193bdc518219e6ea242321ee3ce1

commit c134ef752894193bdc518219e6ea242321ee3ce1
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-04-29 07:27:42 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-29 07:28:01 +0000

    media-sound/schismtracker: bump to 20190805
    
    Bug: https://bugs.gentoo.org/711210
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 media-sound/schismtracker/Manifest                 |  1 +
 .../schismtracker/schismtracker-20190805.ebuild    | 52 ++++++++++++++++++++++
 2 files changed, 53 insertions(+)
Comment 5 Miroslav Šulc gentoo-dev 2021-04-29 07:31:55 UTC
i suppose the new version can be stabilized in a few days.

there is a qa issue reported but i'm really not sure whether this is wrong, it just uses the input file twice, once for input and once for constructing output file name. or am i wrong?

 * QA Notice: This package installs one or more .desktop files that do not
 * pass validation.
 * 
 * 	/usr/share/applications/schism.desktop: error: file contains group "Desktop Action Render WAV", which has an invalid action identifier, only alphanumeric characters and '-' are allowed
 * 	/usr/share/applications/schism.desktop: error: value "schismtracker --diskwrite=%f.wav %f" for key "Exec" in group "Desktop Action Render WAV" may contain at most one "0,000000", "102", "0,000000" or "%U" field code
Comment 6 Sam James archtester gentoo-dev Security 2021-05-09 06:01:00 UTC
x86 done
Comment 7 Sam James archtester gentoo-dev Security 2021-05-09 07:46:44 UTC
amd64 done

all arches done
Comment 8 Larry the Git Cow gentoo-dev 2021-05-09 07:58:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=344dffd5f69509b34eb06a3b41c32be397ec7dc6

commit 344dffd5f69509b34eb06a3b41c32be397ec7dc6
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-05-09 07:58:14 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-05-09 07:58:50 +0000

    media-sound/schismtracker: removed obsolete and vulnerable 20180810-r1
    
    Bug: https://bugs.gentoo.org/711210
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 media-sound/schismtracker/Manifest                 |  1 -
 .../schismtracker/schismtracker-20180810-r1.ebuild | 60 ----------------------
 2 files changed, 61 deletions(-)
Comment 9 Miroslav Šulc gentoo-dev 2021-05-09 07:59:46 UTC
the tree is clean now, you can proceed.
Comment 10 John Helmert III gentoo-dev Security 2021-05-13 14:05:29 UTC
Thank you!
Comment 11 Thomas Deutschmann gentoo-dev Security 2021-06-02 11:29:09 UTC
Downgrading to B3.

New GLSA request filed.
Comment 12 NATTkA bot gentoo-dev 2021-06-09 07:04:30 UTC
Unable to check for sanity:

> no match for package: media-sound/schismtracker-20190805
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2021-07-07 08:05:41 UTC
This issue was resolved and addressed in
 GLSA 202107-12 at https://security.gentoo.org/glsa/202107-12
by GLSA coordinator Sam James (sam_c).