Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 635548 (CVE-2017-12911, CVE-2017-12912) - <media-sound/mp3gain-1.6.1: Multiple vulnerabilities
Summary: <media-sound/mp3gain-1.6.1: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-12911, CVE-2017-12912
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-27 00:52 UTC by GLSAMaker/CVETool Bot
Modified: 2018-06-11 15:22 UTC (History)
8 users (show)

See Also:
Package list:
media-sound/mp3gain-1.6.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-27 00:52:06 UTC
CVE-2017-12912 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12912):
  The "mpglibDBL/layer3.c" file in MP3Gain 1.5.2.r2 has a vulnerability which
  results in a read access violation when opening a crafted MP3 file.

CVE-2017-12911 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12911):
  The "apetag.c" file in MP3Gain 1.5.2.r2 has a vulnerability which results in
  a stack memory corruption when opening a crafted MP3 file.
Comment 1 Agostino Sarubbo gentoo-dev 2017-10-27 06:51:39 UTC
the latter is a write issue which I had a way to see.
Comment 2 Herb Miller Jr. 2018-03-19 14:14:09 UTC
Upstream fixed CVE-2017-12911 last month. It was a blocker for the 1.6.2 release. I'll ping them about CVE-2017-12912 soon as Sourceforge cooperates with me accessing my account.
Comment 3 Pacho Ramos gentoo-dev 2018-04-21 14:34:52 UTC
[master ace29cb9d332] media-sound/mp3gain: Bump (#630954), fix CVE-2017-12911 (#635548)
 3 files changed, 112 insertions(+)
 create mode 100644 media-sound/mp3gain/files/mp3gain-1.6.1-CVE-2017-12911.patch
 create mode 100644 media-sound/mp3gain/mp3gain-1.6.1.ebuild

For the CVE-2017-12912 I couldn't find any fix :/ but I guess we can stabilize this version meantime
Comment 4 Pacho Ramos gentoo-dev 2018-04-21 14:38:47 UTC
I am not sure if maybe clone this bug to cover the remaining security issue in the future :/

Anyway, for now we can stabilize 1.6.1
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-21 23:16:29 UTC
(In reply to Pacho Ramos from comment #4)
> I am not sure if maybe clone this bug to cover the remaining security issue
> in the future :/
> 
> Anyway, for now we can stabilize 1.6.1

I think we can proceed to stabilize and address the other CVE with another stable call in this bug.
Comment 6 Larry the Git Cow gentoo-dev 2018-04-21 23:23:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5162ff386be42cbfaadbb0bfa40aa41308c5b4ae

commit 5162ff386be42cbfaadbb0bfa40aa41308c5b4ae
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-04-21 23:18:27 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-04-21 23:18:27 +0000

    media-sound/mp3gain: amd64 stable wrt bug #635548
    
    Bug: https://bugs.gentoo.org/635548
    Package-Manager: Portage-2.3.31, Repoman-2.3.9

 media-sound/mp3gain/mp3gain-1.6.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 7 Thomas Deutschmann gentoo-dev Security 2018-04-22 01:36:13 UTC
x86 stable
Comment 8 Matt Turner gentoo-dev 2018-04-22 19:17:42 UTC
hppa stable
Comment 9 Matt Turner gentoo-dev 2018-04-22 20:29:23 UTC
alpha stable
Comment 10 Larry the Git Cow gentoo-dev 2018-05-08 18:43:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c1fd2a3efff669160051b646a1bd48c419be2fdd

commit c1fd2a3efff669160051b646a1bd48c419be2fdd
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-05-08 18:20:17 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-08 18:42:40 +0000

    media-sound/mp3gain: stable 1.6.1 for sparc
    
    Bug: https://bugs.gentoo.org/635548
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 media-sound/mp3gain/mp3gain-1.6.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-06-11 15:22:25 UTC
looks like ppc/ppc64 keywords were dropped.

Moving on.

GLSA Vote: No

Tree is clean.