Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 650890 (CVE-2017-17446) - <media-libs/game-music-emu-0.6.2: Denial of Service through non-negative size
Summary: <media-libs/game-music-emu-0.6.2: Denial of Service through non-negative size
Status: RESOLVED FIXED
Alias: CVE-2017-17446
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-19 14:51 UTC by GLSAMaker/CVETool Bot
Modified: 2018-11-08 02:26 UTC (History)
1 user (show)

See Also:
Package list:
media-libs/game-music-emu-0.6.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-03-19 14:51:28 UTC
CVE-2017-17446 (https://nvd.nist.gov/vuln/detail/CVE-2017-17446):
  The Mem_File_Reader::read_avail function in Data_Reader.cpp in the
  Game_Music_Emu library (aka game-music-emu) 0.6.1 does not ensure a
  non-negative size, which allows remote attackers to cause a denial of
  service (application crash) via a crafted file.


@Maintainers please call for stabilization when ready.

Thank you
Comment 1 Larry the Git Cow gentoo-dev 2018-08-22 07:16:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40b2834fc7f78a23f6668d029ee31bb0405ecafc

commit 40b2834fc7f78a23f6668d029ee31bb0405ecafc
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-08-22 07:13:02 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-08-22 07:13:02 +0000

    media-libs/game-music-emu: 0.6.2 version bump
    
    Bug: https://bugs.gentoo.org/650890
    Package-Manager: Portage-2.3.48, Repoman-2.3.10

 media-libs/game-music-emu/Manifest                    |  1 +
 media-libs/game-music-emu/game-music-emu-0.6.2.ebuild | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)
Comment 2 Agostino Sarubbo gentoo-dev 2018-08-30 07:26:02 UTC
amd64 stable
Comment 3 Sergei Trofimovich gentoo-dev 2018-09-01 23:47:30 UTC
ppc64 stable
Comment 4 Thomas Deutschmann gentoo-dev Security 2018-09-02 23:47:57 UTC
x86 stable
Comment 5 Andreas Sturmlechner gentoo-dev 2018-09-05 19:38:00 UTC
(In reply to Agostino Sarubbo from comment #2)
> amd64 stable

I don't see it.
Comment 6 Agostino Sarubbo gentoo-dev 2018-09-06 15:26:59 UTC
amd64 stable
Comment 7 Sergei Trofimovich gentoo-dev 2018-09-07 23:18:53 UTC
ppc stable
Comment 8 Tobias Klausmann gentoo-dev 2018-09-13 14:34:22 UTC
Stable on alpha.
Comment 9 Markus Meier gentoo-dev 2018-09-19 16:58:40 UTC
arm stable, all arches done.
Comment 10 Larry the Git Cow gentoo-dev 2018-09-30 16:14:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb6569a8680d2d2548a2127b3a40171e008d9f9d

commit bb6569a8680d2d2548a2127b3a40171e008d9f9d
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-09-30 16:12:40 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-09-30 16:13:51 +0000

    media-libs/game-music-emu: Security cleanup
    
    Bug: https://bugs.gentoo.org/650890
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>
    Package-Manager: Portage-2.3.50, Repoman-2.3.11

 media-libs/game-music-emu/Manifest                    |  1 -
 media-libs/game-music-emu/game-music-emu-0.6.1.ebuild | 17 -----------------
 2 files changed, 18 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94f586be667593eabf9fb452ba3a5a1408ff624b

commit 94f586be667593eabf9fb452ba3a5a1408ff624b
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-09-30 16:11:04 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-09-30 16:13:51 +0000

    profiles: hppa: Stable-mask media-video/ffmpeg[gme]
    
    Blocking security cleanup.
    
    Bug: https://bugs.gentoo.org/650890
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 profiles/arch/hppa/package.use.stable.mask | 4 ++++
 1 file changed, 4 insertions(+)
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2018-11-08 02:26:10 UTC
GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].