Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 778992 - <media-video/mediainfo-21.09, media-video/libmediainfo-21.09: multiple vulnerabilities
Summary: <media-video/mediainfo-21.09, media-video/libmediainfo-21.09: multiple vulner...
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on: 794925
Blocks:
  Show dependency tree
 
Reported: 2021-03-28 18:18 UTC by John Helmert III
Modified: 2023-11-24 20:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-28 18:18:22 UTC
Multiple apparent security fixes reported in the changelogs for mediainfo (https://github.com/MediaArea/MediaInfo/releases/tag/v21.03) and libmediainfo (https://github.com/MediaArea/MediaInfoLib/releases/tag/v21.03) 21.03:

FFV1: fix crash with some bitstreams parsing
TIFF: fix division by 0
RF64: fix the WAV malformed chunk size test


Several apparent security fixes in the commit log of libmediainfo since last version too:

21bcafaa Fix floating point exception in File_La::FileHeader_Parse (SF#1151)
91461395 Fix floating point exception when parsing mpeg4 files (SF#1131)
b451751b Fix integer overflow in File_AvsV::user_data_start (SF#1155)
4b2a64ca Fix integer overflow in File_Ogg::Data_Parse (SF#1143)
2fb5e46e Fix floating point exception in File_Pcm::Header_Parse (SF#1133)
859f778c Fix global buffer overflow in File_Dpx::GenericSectionHeader_Dpx (SF#1140)
7bab1c3a Fix heap overflow File_Gxf::ChooseParser_ChannelGrouping (SF#1154)

Unsure if exploitable further than a DoS.
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:23:26 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:31:48 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:39:43 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:47:54 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:03:50 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:12:08 UTC
Package list is empty or all packages have requested keywords.
Comment 7 Larry the Git Cow gentoo-dev 2022-01-02 06:16:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=036af3bb0a04b78b809465f596d23bd96351068a

commit 036af3bb0a04b78b809465f596d23bd96351068a
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-02 06:15:14 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-02 06:16:06 +0000

    media-video/mediainfo: add 21.09
    
    Bug: https://bugs.gentoo.org/778992
    Closes: https://bugs.gentoo.org/794925
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/mediainfo/Manifest               |  1 +
 media-video/mediainfo/mediainfo-21.09.ebuild | 86 ++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e24798c7cb22306b5c806bd3eb444047c891af5

commit 9e24798c7cb22306b5c806bd3eb444047c891af5
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-02 06:03:03 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-02 06:15:51 +0000

    media-libs/libmediainfo: add 21.09
    
    Bug: https://bugs.gentoo.org/778992
    Closes: https://bugs.gentoo.org/794925
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libmediainfo/Manifest                   |  1 +
 .../files/libmediainfo-21.09-link-fix.patch        | 29 +++++++
 media-libs/libmediainfo/libmediainfo-21.09.ebuild  | 88 ++++++++++++++++++++++
 3 files changed, 118 insertions(+)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-16 21:10:17 UTC
Looks like stabilization happened in bug 833738, need cleanup.
Comment 9 Larry the Git Cow gentoo-dev 2022-08-16 21:20:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0daf4322261c4c91494bf192c9173ea54c08c891

commit 0daf4322261c4c91494bf192c9173ea54c08c891
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-08-16 21:19:45 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-16 21:20:21 +0000

    media-libs/libmediainfo: drop 20.09-r1
    
    Bug: https://bugs.gentoo.org/778992
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 media-libs/libmediainfo/Manifest                   |  1 -
 .../files/libmediainfo-20.09-pkgconfig.patch       | 10 ---
 .../libmediainfo/libmediainfo-20.09-r1.ebuild      | 88 ----------------------
 3 files changed, 99 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ee603b147399d045f2f7c55fe1e16a83fcb78d1

commit 7ee603b147399d045f2f7c55fe1e16a83fcb78d1
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-08-16 21:18:34 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-16 21:18:34 +0000

    media-video/mediainfo: drop 20.09, 20.09-r1
    
    Bug: https://bugs.gentoo.org/778992
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 media-video/mediainfo/Manifest                  |  1 -
 media-video/mediainfo/mediainfo-20.09-r1.ebuild | 82 -------------------------
 media-video/mediainfo/mediainfo-20.09.ebuild    | 81 ------------------------
 3 files changed, 164 deletions(-)
Comment 10 jospezial 2023-07-31 14:44:12 UTC
The affected versions are long gone from the tree.
Can this bug close?