CVE-2018-14459 (https://nvd.nist.gov/vuln/detail/CVE-2018-14459): An issue was discovered in libgig 4.1.0. There is an out-of-bounds write in pData[0] access in the function store16 in helper.h. CVE-2018-14458 (https://nvd.nist.gov/vuln/detail/CVE-2018-14458): An issue was discovered in libgig 4.1.0. There is a heap-based buffer overflow in pData[1] access in the function store32 in helper.h. CVE-2018-14457 (https://nvd.nist.gov/vuln/detail/CVE-2018-14457): An issue was discovered in libgig 4.1.0. There is an out-of-bounds write in the function DLS::Info::UpdateChunks in DLS.cpp. CVE-2018-14456 (https://nvd.nist.gov/vuln/detail/CVE-2018-14456): An issue was discovered in libgig 4.1.0. There is an out-of-bounds write in the function DLS::Info::SaveString in DLS.cpp. CVE-2018-14455 (https://nvd.nist.gov/vuln/detail/CVE-2018-14455): An issue was discovered in libgig 4.1.0. There is an out-of-bounds write in pData[0] access in the function store32 in helper.h. CVE-2018-14454 (https://nvd.nist.gov/vuln/detail/CVE-2018-14454): An issue was discovered in libgig 4.1.0. There is an out-of-bounds read in the function RIFF::Chunk::Read in RIFF.cpp. CVE-2018-14453 (https://nvd.nist.gov/vuln/detail/CVE-2018-14453): An issue was discovered in libgig 4.1.0. There is a heap-based buffer overflow in pData[1] access in the function store16 in helper.h. CVE-2018-14452 (https://nvd.nist.gov/vuln/detail/CVE-2018-14452): An issue was discovered in libgig 4.1.0. There is an out-of-bounds read in the "always assign the sample of the first dimension region of this region" feature of the function gig::Region::UpdateChunks in gig.cpp. CVE-2018-14451 (https://nvd.nist.gov/vuln/detail/CVE-2018-14451): An issue was discovered in libgig 4.1.0. There is a heap-based buffer overflow in the function RIFF::Chunk::Read in RIFF.cpp. CVE-2018-14450 (https://nvd.nist.gov/vuln/detail/CVE-2018-14450): An issue was discovered in libgig 4.1.0. There is an out-of-bounds read in the "update dimension region's chunks" feature of the function gig::Region::UpdateChunks in gig.cpp. CVE-2018-14449 (https://nvd.nist.gov/vuln/detail/CVE-2018-14449): An issue was discovered in libgig 4.1.0. There is an out of bounds read in gig::File::UpdateChunks in gig.cpp. @Maintainers maybe 4.0.0 is affected. Take adequate precautions for the bump. Thank you,
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf2cfb75862240ca1e73b980ac7f85bcd36df5c6 commit bf2cfb75862240ca1e73b980ac7f85bcd36df5c6 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2019-11-13 13:38:32 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2019-11-13 13:39:06 +0000 media-libs/libgig-4.2.0: bump Bug: https://bugs.gentoo.org/662172 Package-Manager: Portage-2.3.79, Repoman-2.3.18 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> media-libs/libgig/Manifest | 1 + media-libs/libgig/libgig-4.2.0.ebuild | 37 +++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2350518cb0db6a5a314e079d00f025fbee910fed commit 2350518cb0db6a5a314e079d00f025fbee910fed Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2019-11-13 13:44:45 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2019-11-13 13:45:09 +0000 media-libs/libgig-4.1.0: removed vulnerable (bug #662172) no stable dependants so dropping to unstable Bug: https://bugs.gentoo.org/662172 Package-Manager: Portage-2.3.79, Repoman-2.3.18 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> media-libs/libgig/Manifest | 1 - media-libs/libgig/libgig-4.1.0.ebuild | 37 ----------------------------------- 2 files changed, 38 deletions(-)
removed vulnerable so now we have only 4.2.0. dropped to unstable as there are no stable dependants. can be proceeded.
Not clear if fixed in 4.2.0: https://svn.linuxsampler.org/cgi-bin/viewvc.cgi/libgig/trunk/ChangeLog
i did not test all of the issues but those i tested still exist in 4.2.0
i contacted Christian Schoenebeck from the LinuxSampler team about the situation and here is his answer: "Yes, and there are more unresolved ones: https://bugs.linuxsampler.org/cgi-bin/buglist.cgi? f1=longdesc&f2=short_desc&j_top=OR&o1=anywordssubstr&o2=anywordssubstr&product=libgig&query_format=advanced&resolution=--- &resolution=INVALID&resolution=WONTFIX&resolution=LATER&resolution=REMIND&resolution=WORKSFORME&v1=CVE%2Ccrash%2Cfuzz%2Csecurity%2Coverflow%2Csegfault%2Csegmentation%2CSEGV&v2=CVE%2Ccrash%2Cfuzz%2Csecurity%2Coverflow%2Csegfault%2Csegmentation%2CSEGV I had a discussion about libgig CVEs in general with Markus from Debian a year ago, so I'm putting him on CC for that reason. To put things into perspective: I'm also an upstream submaintainer of the QEMU project where I handle CVEs and in fact any single line change in QEMU with huge care due to QEMU's sensibility. The situation with libgig is different though. To make it short: there are a large number of potential security vulnerabilities in libgig, yes, but please don't expect from my side that I'm going to fix every one of those by just receiving reports. The unpleasant truth is that libgig is currently not designed/maintained to be used on untrusted (.gig, .dls, .sf2, .kmp, .ksf) files. Which actually applies to many other music/audio related software libs and apps as well. It is simply not the typical use case of these types of software to deal safely with explicitly manipulated, malicious files. I know that response is unsatisfying for you, but I received so many auto generated bug reports (mostly of automated fuzzing tests), and I am the only person working on this library for many years, so I decided a while ago to only process those LS/libgig CVE reports which also either a) provide a potential patch for the respective libgig CVE, or b) if the respective issue may also be triggered by users with "trusted" files (i.e. certain edge cases) as well. If you have viable suggestions how the situation could be improved in future, then I'm of course open for discussions on this."
