Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711210 (CVE-2019-14465, CVE-2019-14523, CVE-2019-14524) - media-sound/schismtracker: Multiple vulnerabilities (CVE-2019-{14465,14523,14524})
Summary: media-sound/schismtracker: Multiple vulnerabilities (CVE-2019-{14465,14523,14...
Status: IN_PROGRESS
Alias: CVE-2019-14465, CVE-2019-14523, CVE-2019-14524
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/schismtracker/schi...
Whiteboard: B2 [ebuild+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-01 19:30 UTC by Sam James
Modified: 2020-06-20 02:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-03-01 19:30:52 UTC
Description:
"An issue was discovered in Schism Tracker through 20190722. There is an integer underflow via a large plen in fmt_okt_load_song in the Amiga Oktalyzer parser in fmt/okt.c."

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-14523
Affects:
< 20190722

Fixed release: https://github.com/schismtracker/schismtracker/releases/tag/20190805
Patch: https://github.com/schismtracker/schismtracker/commit/c8986a876959a9d282e882d782af351a86e4034c
Comment 1 Sam James gentoo-dev Security 2020-03-02 14:49:58 UTC
2) CVE-2019-14465

Description: 
"fmt_mtm_load_song in fmt/mtm.c in Schism Tracker 20190722 has a heap-based buffer overflow."

Bug: https://github.com/schismtracker/schismtracker/issues/198
Fixed release, as above: https://github.com/schismtracker/schismtracker/releases/tag/20190805
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2020-04-21 23:06:27 UTC
CVE-2019-14524 (https://nvd.nist.gov/vuln/detail/CVE-2019-14524):
  An issue was discovered in Schism Tracker through 20190722. There is a
  heap-based buffer overflow via a large number of song patterns in
  fmt_mtm_load_song in fmt/mtm.c, a different vulnerability than
  CVE-2019-14465.

CVE-2019-14523 (https://nvd.nist.gov/vuln/detail/CVE-2019-14523):
  An issue was discovered in Schism Tracker through 20190722. There is an
  integer underflow via a large plen in fmt_okt_load_song in the Amiga
  Oktalyzer parser in fmt/okt.c.
Comment 3 Sam James gentoo-dev Security 2020-06-20 02:00:23 UTC
ping