An integer overflow has been found in taglib. From a mail thread at :
On Sun, Mar 4, 2012 at 4:41 AM, Zubin Mithra <zubin.mithra at gmail.com> wrote:
> - Sanity checks are not performed for fields read from a media file, which
> are used to allocate memory later on. Causes DoS due to application crash at
> the very least, exploitability is unconfirmed.
> An example :-
> APE::Item::parse(const ByteVector &data)
> d->key = String(data.mid(8), String::UTF8);
@kde, I believe this may be fixed in 1.7.1. If it is, can we move forward and stabilize that version? Thanks.
Yes go ahead!
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Stable for HPPA.
Thank you all, kde is done here. Removing from cc.
+ 17 Apr 2012; Johannes Huber <firstname.lastname@example.org>
+ -files/taglib-1.7-security.patch, -taglib-1.7-r1.ebuild:
+ Remove old wrt bug #410953.
Thanks, everyone. GLSA already drafted and ready for review.
This issue was resolved and addressed in
GLSA 201206-16 at http://security.gentoo.org/glsa/glsa-201206-16.xml
by GLSA coordinator Sean Amoss (ackle).
Integer overflow in the mid function in toolkit/tbytevector.cpp in TagLib
1.7 and earlier allows context-dependent attackers to cause a denial of
service (application crash) via a crafted file header field in a media file,
which triggers a large memory allocation.