"mpg321.c in mpg321 0.3.2-1 does not properly manage memory for use with libmad 0.15.1b, which allows remote attackers to cause a denial of service (memory corruption seen in a crash in the mad_decoder_run function in decoder.c in libmad) via a crafted MP3 file."
"The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file."
It looks like Debian felt both were resolved by the latter patch, see bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870406.
Removing CVE-2017-11552 which only affects media-libs/libmad and is tracked in bug 626822.
The bug has been referenced in the following commit(s):
Author: Azamat H. Hackimov <firstname.lastname@example.org>
AuthorDate: 2020-06-04 17:51:17 +0000
Commit: Aaron Bauman <email@example.com>
CommitDate: 2020-06-06 01:49:13 +0000
media-sound/mpg321: update ebuild
Applied security fix from Debian for CVE-2019-14247 (#711918), fixed
compilation on GCC10 (#706740), updated ebuild to EAPI 7.
Package-Manager: Portage-2.3.99, Repoman-2.3.22
Signed-off-by: Azamat H. Hackimov <firstname.lastname@example.org>
Signed-off-by: Aaron Bauman <email@example.com>
.../mpg321/files/mpg321-0.3.2-CVE-2019-14247.patch | 20 ++++++
.../files/mpg321-0.3.2-format-security.patch | 4 +-
media-sound/mpg321/files/mpg321-0.3.2-gcc10.patch | 83 ++++++++++++++++++++++
media-sound/mpg321/mpg321-0.3.2.ebuild | 12 +++-
4 files changed, 114 insertions(+), 5 deletions(-)
@Azamat, thank you for the PR! Let's try out stabilisation.
(In reply to Sam James (sec padawan) from comment #3)
> @Azamat, thank you for the PR! Let's try out stabilisation.
Actually, let's give it a day or two. Changed the rating.
Oh, this went straight-to-stable with just the patches included in the existing version -- no version bump. This makes a GLSA challenging.
In future, please revbump when including patches which affect the installed version.
I'v done what asked to https://github.com/gentoo/gentoo/pull/16066#issuecomment-639147750