Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 573696 (CVE-2015-8790) - <dev-libs/libebml-1.3.3: two vulnerabilities
Summary: <dev-libs/libebml-1.3.3: two vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2015-8790
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2015-8789
  Show dependency tree
 
Reported: 2016-02-02 15:50 UTC by Agostino Sarubbo
Modified: 2017-01-15 07:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-02-02 15:50:46 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1303861:

The EbmlUnicodeString::UpdateFromUTF8 function in libEBML before 1.3.3 allows context-dependent 
attackers to obtain sensitive information from process heap memory via a crafted UTF-8 string, 
which triggers an invalid memory access.

External references:

http://www.scip.ch/en/?vuldb.80728
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8790

Upstream fix:

https://github.com/Matroska-Org/libebml/commit/ababb64e0c792ad2a314245233db0833ba12036b




From https://bugzilla.redhat.com/show_bug.cgi?id=1303853:

The EbmlElement::ReadCodedSizeValue function in libEBML before 1.3.3 allows context-dependent attackers to obtain sensitive information from process heap memory via a crafted length value in an EBML id, which triggers an invalid memory access.

External references:

http://www.scip.ch/en/?vuldb.80729
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8791

Upstream fix:

https://github.com/Matroska-Org/libebml/commit/24e5cd7c666b1ddd85619d60486db0a5481c1b90
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-13 09:43:22 UTC
@maintainers, please cleanup the vulnerable versions or let us know if you need additional time.
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-27 12:13:07 UTC
media-video/vlc-2.2.1-r1 (matroska ? >=dev-libs/libebml-1:0)
media-video/vlc-2.2.4 (matroska ? >=dev-libs/libebml-1:0)
media-video/vlc-2.2.9999 (matroska ? >=dev-libs/libebml-1:0)
media-video/vlc-9999 (matroska ? >=dev-libs/libebml-1:0)

@maintainer(s), can VLC be bumped to rely on 1.3.x?

There are no indications that the 1.2.x branch is vulnerable, but VLC is the only rdep at this time.  Please let us know how you would like to proceed.
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-01-14 15:18:14 UTC
GLSA Vote: No

Waiting for cleanup in bug 564424.