Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 566682 (CVE-2015-7805) - <media-libs/libsndfile-1.0.26: AIFF heap write overflow (CVE-2015-7805)
Summary: <media-libs/libsndfile-1.0.26: AIFF heap write overflow (CVE-2015-7805)
Status: RESOLVED FIXED
Alias: CVE-2015-7805
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/erikd/libsndfile/i...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: 566680
Blocks:
  Show dependency tree
 
Reported: 2015-11-23 23:42 UTC by Sebastian Pipping
Modified: 2016-12-03 10:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Pipping gentoo-dev 2015-11-23 23:42:05 UTC 
I ran into a related exploit on the internet and noticed we don't have a bug or an update yet.  Please see #566680 for a fix.
Comment 1 Agostino Sarubbo gentoo-dev 2015-11-24 08:15:31 UTC 
Arches, please test and mark stable:                                                                                                                                                                                                                                           
=media-libs/libsndfile-1.0.26                                                                                                                                                                                                                                                  
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-11-24 14:24:23 UTC 
Stable for PPC64.
Comment 3 Agostino Sarubbo gentoo-dev 2015-11-25 08:55:26 UTC 
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2015-11-30 06:03:55 UTC 
Stable for HPPA.
Comment 5 Markus Meier gentoo-dev 2015-12-05 12:46:45 UTC 
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-12-07 11:41:13 UTC 
ppc stable
Comment 7 Myckel Habets 2015-12-08 22:00:52 UTC 
Builds fine on x86, redeps build fine as well. Please mark stable for x86.
Comment 8 Agostino Sarubbo gentoo-dev 2015-12-09 11:15:01 UTC 
x86 stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-12-27 09:56:42 UTC 
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-01-10 10:42:07 UTC 
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-01-11 09:08:10 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Justin Lecher (RETIRED) gentoo-dev 2016-01-26 08:51:58 UTC 
commit 6f4d6d4e5f9402581ccb90dcba045a509b03a99a
Author: Justin Lecher <jlec@gentoo.org>
Date:   Tue Jan 26 09:51:14 2016 +0100

    media-libs/libsndfile: Drop version vulnerable for CVE-2015-7805

    Package-Manager: portage-2.2.27
    Signed-off-by: Justin Lecher <jlec@gentoo.org>

    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6f4d6d4e5f9402581ccb90dcba045a509b03a99a
Comment 13 Justin Lecher (RETIRED) gentoo-dev 2016-01-26 08:52:13 UTC 
@sec, clean again.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 07:52:51 UTC 
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-12-03 10:28:48 UTC 
This issue was resolved and addressed in
 GLSA 201612-03 at https://security.gentoo.org/glsa/201612-03
by GLSA coordinator Aaron Bauman (b-man).