https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp/ https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-readvalue-filehandle-cpp/ https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/ https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-alaw2linear_buf-g711-cpp/ https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/ https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcmdecodeblock-msadpcm-cpp/ https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecrunpull-blockcodec-cpp/ https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecreset1-blockcodec-cpp/ https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-expand3to4modulerun-simplemodule-h/ https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/ https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-ulaw2linear_buf-g711-cpp
CVE-2017-6834 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6834): Heap-based buffer overflow in the ulaw2linear_buf function in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. CVE-2017-6839 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6839): Integer overflow in modules/MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. CVE-2017-6836 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6836): Heap-based buffer overflow in the Expand3To4Module::run function in libaudiofile/modules/SimpleModule.h in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. CVE-2017-6835 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6835): The reset1 function in libaudiofile/modules/BlockCodec.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a crafted file. CVE-2017-6833 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6833): The runPull function in libaudiofile/modules/BlockCodec.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a crafted file. CVE-2017-6832 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6832): Heap-based buffer overflow in the decodeBlock in MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. CVE-2017-6831 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6831): Heap-based buffer overflow in the decodeBlockWAVE function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. CVE-2017-6830 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6830): Heap-based buffer overflow in the alaw2linear_buf function in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. CVE-2017-6829 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6829): The decodeSample function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file. CVE-2017-6828 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6828): Heap-based buffer overflow in the readValue function in FileHandle.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have unspecified impact via a crafted WAV file. CVE-2017-6827 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6827): Heap-based buffer overflow in the MSADPCM::initializeCoefficients function in MSADPCM.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have unspecified impact via a crafted audio file.
@maintainer(s): ping
Created attachment 644044 [details, diff] audiofile-0.3.6-cve-2015.patch This is a series of commits I found referenced on Debian CVE tracker bugs, found here[1]. I was able to verify this patchset fixed each of the CVEs in this bug, except for CVE-2017-{6829,6832,6838,6839} none of which I was able to reproduce. However, the Debian tracker references one of the commits I included for each of these CVEs. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857651
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f2bb2dc35eccffb4adbcc7f4057b6e2ea458d1b8 commit f2bb2dc35eccffb4adbcc7f4057b6e2ea458d1b8 Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2020-07-19 18:28:17 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-19 18:28:17 +0000 media-libs/audiofile: Add security patches Dropping the system-gtest patch is necessary to make the tests run, as mentioned here: https://bugs.gentoo.org/680482#c8 The three closed bugs are reported test failures fixed by dropping the aforementioned patch and a slight repair of src_test. Because we're not using system gtest anymore, we can drop the test dependency on dev-cpp/gtest, and by extension the IUSE=test boilerplate. Bug: https://bugs.gentoo.org/614046 Bug: https://bugs.gentoo.org/687766 Closes: https://bugs.gentoo.org/680482 Closes: https://bugs.gentoo.org/715192 Closes: https://bugs.gentoo.org/720836 Package-Manager: Portage-2.3.100, Repoman-2.3.22 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/16141 Signed-off-by: Sam James <sam@gentoo.org> media-libs/audiofile/audiofile-0.3.6-r4.ebuild | 55 +++ .../files/audiofile-0.3.6-CVE-2017-68xx.patch | 379 +++++++++++++++++++++ ...ofile-0.3.6-CVE-2018-13440-CVE-2018-17095.patch | 82 +++++ 3 files changed, 516 insertions(+)
arm stable
arm64 stable
ppc stable
ppc64 stable
x86 stable
amd64 stable
sparc stabled by slyfox (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90d2a67ef40811d7f8adf3e0d6a6dbc235541ff1) on 22nd
GLSA Vote: no
dropped to ~hppa
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99c6a8c3924a9938c21a05f0498046c3e73c50c8 commit 99c6a8c3924a9938c21a05f0498046c3e73c50c8 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-29 00:19:22 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-29 00:19:37 +0000 media-libs/audiofile: security cleanup Bug: https://bugs.gentoo.org/687766 Bug: https://bugs.gentoo.org/614046 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> media-libs/audiofile/audiofile-0.3.6-r3.ebuild | 50 -------------------------- 1 file changed, 50 deletions(-)
