Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 746413 (CVE-2020-26682) - <media-libs/libass-0.15.0: integer overflows (CVE-2020-26682)
Summary: <media-libs/libass-0.15.0: integer overflows (CVE-2020-26682)
Status: RESOLVED FIXED
Alias: CVE-2020-26682
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/libass/libass/pull...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-04 02:05 UTC by John Helmert III
Modified: 2020-12-23 20:20 UTC (History)
1 user (show)

See Also:
Package list:
media-libs/libass-0.15.0
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-10-04 02:05:57 UTC
Unmerged patch at $URL, at worst this appears to be DoS.
Comment 1 John Helmert III gentoo-dev Security 2020-10-08 21:28:14 UTC
Patch is merged.
Comment 2 Sam James archtester gentoo-dev Security 2020-11-20 03:03:12 UTC
Now in a release - 0.15.0
Comment 3 Larry the Git Cow gentoo-dev 2020-11-20 04:51:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=60e86f87dbc988fd780af5a24d21181bf75ae6d7

commit 60e86f87dbc988fd780af5a24d21181bf75ae6d7
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-11-20 04:49:52 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-11-20 04:50:59 +0000

    media-libs/libass: security bump to 0.15.0
    
    Bug: https://bugs.gentoo.org/746413
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libass/Manifest             |  1 +
 media-libs/libass/libass-0.15.0.ebuild | 42 ++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)
Comment 4 Rolf Eike Beer archtester 2020-11-30 21:16:21 UTC
~hppa is fine
Comment 5 Sam James archtester gentoo-dev Security 2020-12-01 12:16:17 UTC
amd64 done
Comment 6 Thomas Deutschmann gentoo-dev Security 2020-12-02 03:07:50 UTC
x86 stable
Comment 7 Sam James archtester gentoo-dev Security 2020-12-02 10:21:25 UTC
arm64 done
Comment 8 Sam James archtester gentoo-dev Security 2020-12-02 21:54:18 UTC
arm done
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2020-12-04 19:16:02 UTC
ppc/ppc64 stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2020-12-05 11:47:24 UTC
sparc stable
Comment 11 Larry the Git Cow gentoo-dev 2020-12-07 03:56:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c61a2238d5f7e0e0b7e74bfbfd8bba583d6bea8

commit 8c61a2238d5f7e0e0b7e74bfbfd8bba583d6bea8
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-12-06 16:47:17 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-12-07 03:56:18 +0000

    media-libs/libass: security cleanup (<0.15.0)
    
    Bug: https://bugs.gentoo.org/746413
    Package-Manager: Portage-3.0.11, Repoman-3.0.2
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/18533
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libass/Manifest             |  1 -
 media-libs/libass/libass-0.14.0.ebuild | 45 ----------------------------------
 media-libs/libass/metadata.xml         |  3 ---
 3 files changed, 49 deletions(-)
Comment 12 Thomas Deutschmann gentoo-dev Security 2020-12-22 22:39:56 UTC
New GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2020-12-23 20:20:07 UTC
This issue was resolved and addressed in
 GLSA 202012-12 at https://security.gentoo.org/glsa/202012-12
by GLSA coordinator Thomas Deutschmann (whissi).