Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 596422 (CVE-2016-7969, CVE-2016-7970, CVE-2016-7971, CVE-2016-7972) - <media-libs/libass-0.13.6: multiple vulnerabilities (CVE-2016-{7969,7970,7971,7972})
Summary: <media-libs/libass-0.13.6: multiple vulnerabilities (CVE-2016-{7969,7970,7971...
Alias: CVE-2016-7969, CVE-2016-7970, CVE-2016-7971, CVE-2016-7972
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
Depends on:
Reported: 2016-10-07 10:21 UTC by Agostino Sarubbo
Modified: 2017-06-05 21:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-10-07 10:21:11 UTC
From ${URL} :

The open source libass library is used to read and render subtitles onto images or frames of a movie. It is a popular library used in a few well-known media players. It seems it is usually shipped statically? Not sure. <>

Attached are 4 test cases and their asan/valgrind results tested against version 0.13.3. 

One is in wrap_lines_smart() ( <>).

One is coeff_blur121() ( <>).

The third is a huge memory allocation leading to a crash that wasn’t fixed because a good solution is unavailable at the moment.

The fourth is in check_allocations() ( <>).

These should be fixed in the 0.13.4 release, but are fixed currently on master. Thanks to the libass team for the quick turnaround. 

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alexis Ballier gentoo-dev 2016-10-10 10:22:20 UTC
commit 442752b75dce0d135e2039b7e3d0eb231f95752f
Author: Alexis Ballier <>
Date:   Mon Oct 10 12:21:52 2016 +0200

    media-libs/libass: bump to 0.13.4, bug #596422

should be ok for stabilization
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 23:41:38 UTC
@ Maintainer(s): We missed comment #1. Newer versions are now in repository, can we stabilize =media-libs/libass-0.13.6 instead?
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-19 23:04:16 UTC
@ Arches,

please test and mark stable: =media-libs/libass-0.13.6
Comment 4 Agostino Sarubbo gentoo-dev 2017-01-20 09:27:21 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-20 09:47:58 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-20 11:08:02 UTC
ppc64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-21 11:38:47 UTC
Stable for HPPA.
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-21 11:44:21 UTC
Stable on alpha.
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-21 20:33:54 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-01-22 16:28:52 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-23 16:28:06 UTC
ia64 stable
Comment 12 Markus Meier gentoo-dev 2017-02-05 16:59:58 UTC
arm stable, all arches done.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-02-05 23:35:45 UTC
GLSA request filed
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-02-21 00:02:11 UTC
This issue was resolved and addressed in
 GLSA 201702-25 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-21 00:03:27 UTC
Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop <media-libs/libass-0.13.4!
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2017-05-26 23:54:12 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 17 Tim Harder gentoo-dev 2017-06-05 21:26:38 UTC
They're now gone from the tree.
Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-05 21:39:25 UTC
@ Maintainer(s): Thank you for your work!