1) CVE-2017-11552 Description: "mpg321.c in mpg321 0.3.2-1 does not properly manage memory for use with libmad 0.15.1b, which allows remote attackers to cause a denial of service (memory corruption seen in a crash in the mad_decoder_run function in decoder.c in libmad) via a crafted MP3 file." URL: https://seclists.org/fulldisclosure/2017/Jul/94 URL: https://security-tracker.debian.org/tracker/CVE-2017-11552 2) CVE-2019-14247 Description: "The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file." URL: https://sourceforge.net/p/mpg321/bugs/51/ URL: https://security-tracker.debian.org/tracker/CVE-2019-14247 Patch: https://sources.debian.org/patches/mpg321/0.3.2-3/handle_illegal_bitrate_value.patch/ It looks like Debian felt both were resolved by the latter patch, see bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870406.
Removing CVE-2017-11552 which only affects media-libs/libmad and is tracked in bug 626822.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33364299eee045ae5df62612a33c9c80dbbe792c commit 33364299eee045ae5df62612a33c9c80dbbe792c Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2020-06-04 17:51:17 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-06 01:49:13 +0000 media-sound/mpg321: update ebuild Applied security fix from Debian for CVE-2019-14247 (#711918), fixed compilation on GCC10 (#706740), updated ebuild to EAPI 7. Bug: https://bugs.gentoo.org/711918 Closes: https://bugs.gentoo.org/706740 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/16066 Signed-off-by: Aaron Bauman <bman@gentoo.org> .../mpg321/files/mpg321-0.3.2-CVE-2019-14247.patch | 20 ++++++ .../files/mpg321-0.3.2-format-security.patch | 4 +- media-sound/mpg321/files/mpg321-0.3.2-gcc10.patch | 83 ++++++++++++++++++++++ media-sound/mpg321/mpg321-0.3.2.ebuild | 12 +++- 4 files changed, 114 insertions(+), 5 deletions(-)
@Azamat, thank you for the PR! Let's try out stabilisation.
(In reply to Sam James (sec padawan) from comment #3) > @Azamat, thank you for the PR! Let's try out stabilisation. Actually, let's give it a day or two. Changed the rating.
Oh, this went straight-to-stable with just the patches included in the existing version -- no version bump. This makes a GLSA challenging. In future, please revbump when including patches which affect the installed version.
I'v done what asked to https://github.com/gentoo/gentoo/pull/16066#issuecomment-639147750
