Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627316 (CVE-2017-11661, CVE-2017-11662, CVE-2017-11663, CVE-2017-11664) - <media-sound/wildmidi-0.3.13: Multiple vulnerabilities
Summary: <media-sound/wildmidi-0.3.13: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-11661, CVE-2017-11662, CVE-2017-11663, CVE-2017-11664
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
: 635550 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-08-08 12:43 UTC by Agostino Sarubbo
Modified: 2018-11-25 01:01 UTC (History)
3 users (show)

See Also:
Package list:
media-sound/wildmidi-0.3.13
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-08-08 12:43:38 UTC
From ${URL} :

CVE-2017-11661

the _WM_SetupMidiEvent function in internal_midi.c:2318 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

CVE-2017-11662

the _WM_ParseNewMidi function in f_midi.c in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

CVE-2017-11663

the _WM_SetupMidiEvent function in internal_midi.c:2315 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

CVE-2017-11664

the _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

Upstream patch:

https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd

References:

http://seclists.org/fulldisclosure/2017/Aug/12


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-27 01:29:25 UTC
*** Bug 635550 has been marked as a duplicate of this bug. ***
Comment 2 Larry the Git Cow gentoo-dev 2018-08-22 21:06:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7a6ad87c72f74317c6412384cfccd9dc2c085e4

commit e7a6ad87c72f74317c6412384cfccd9dc2c085e4
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-08-22 21:05:27 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-08-22 21:06:37 +0000

    media-sound/wildmidi: 0.3.13 version bump, multiple security fixes
    
    CVE-2017-11661, CVE-2017-11662, CVE-2017-11663, CVE-2017-11664
    
    Bug: https://bugs.gentoo.org/627316
    Package-Manager: Portage-2.3.48, Repoman-2.3.10

 media-sound/wildmidi/Manifest               |  1 +
 media-sound/wildmidi/wildmidi-0.3.13.ebuild | 75 +++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+)
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-24 01:41:56 UTC
x86 stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-08-24 03:39:29 UTC
amd64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2018-08-26 18:54:16 UTC
ppc stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-08-26 18:56:08 UTC
ppc64 stable
Comment 7 Markus Meier gentoo-dev 2018-09-19 16:58:19 UTC
arm stable, all arches done.
Comment 8 Larry the Git Cow gentoo-dev 2018-09-30 15:39:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78dc4b326a317b0dbada8261be2ce45016ded02f

commit 78dc4b326a317b0dbada8261be2ce45016ded02f
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-09-20 10:16:23 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-09-30 15:39:00 +0000

    media-sound/wildmidi: Security cleanup
    
    Bug: https://bugs.gentoo.org/627316
    Package-Manager: Portage-2.3.49, Repoman-2.3.10
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-sound/wildmidi/Manifest                |  4 --
 media-sound/wildmidi/wildmidi-0.2.3.5.ebuild | 43 -----------------
 media-sound/wildmidi/wildmidi-0.3.6.ebuild   | 70 ----------------------------
 media-sound/wildmidi/wildmidi-0.3.7.ebuild   | 68 ---------------------------
 media-sound/wildmidi/wildmidi-0.3.8.ebuild   | 70 ----------------------------
 5 files changed, 255 deletions(-)