Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 918558 (CVE-2023-38857, CVE-2023-38858) - <media-libs/faad2-2.11.0: multiple vulnerabilities
Summary: <media-libs/faad2-2.11.0: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2023-38857, CVE-2023-38858
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 918595
Blocks:
  Show dependency tree
 
Reported: 2023-11-25 20:26 UTC by John Helmert III
Modified: 2024-01-10 13:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 20:26:35 UTC 
CVE-2023-38857 (https://github.com/knik0/faad2/issues/171):

Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacker to execute arbitrary code and cause a denial of service via the stcoin function in mp4read.c.

Patch: https://github.com/knik0/faad2/commit/b02a9ee5bf071fa92563536c076a69dbec814e7e

CVE-2023-38858 (https://github.com/knik0/faad2/issues/173):

Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacker to execute arbitrary code and cause a denial of service via the mp4info function in mp4read.c:1039.

Patch: https://github.com/knik0/faad2/commit/c65ae2904192965e7c9fcafe8c1ae5fa0649eea4

Patches in 2.11.0, please stabilize.
Comment 1 Larry the Git Cow gentoo-dev 2023-11-29 13:55:14 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33e43bfd4798dbd26ca5e81e3f2bc6eca183255e

commit 33e43bfd4798dbd26ca5e81e3f2bc6eca183255e
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2023-11-29 13:54:59 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-11-29 13:54:59 +0000

    media-libs/faad2: dropped obsolete 2.10.1
    
    Bug: https://bugs.gentoo.org/918595
    Bug: https://bugs.gentoo.org/918558
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 media-libs/faad2/Manifest            |  1 -
 media-libs/faad2/faad2-2.10.1.ebuild | 50 ------------------------------------
 media-libs/faad2/metadata.xml        |  3 ---
 3 files changed, 54 deletions(-)
Comment 2 Miroslav Šulc gentoo-dev 2023-11-29 13:55:51 UTC 
the tree is clean now, you can proceed.
Comment 3 Larry the Git Cow gentoo-dev 2024-01-10 11:44:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=a1eecf982df504f02f8b23c7cace982c168ea64b

commit a1eecf982df504f02f8b23c7cace982c168ea64b
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-10 11:43:50 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-10 11:44:39 +0000

    [ GLSA 202401-13 ] FAAD2: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/918558
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-13.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)