| Summary: | mp3splt new security issues CVE-2017-566[56] and CVE-2017-5851 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Jani Välimaa <jani.valimaa> |
| Status: | RESOLVED OLD | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | mageia |
| Version: | 5 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | mp3splt-2.6.2-2.mga6.src.rpm | CVE: | CVE-2017-5665 CVE-2017-5666 CVE-2017-5851 |
| Status comment: | No upstream or downstream patches available as of early June 2017 | ||
|
Description
David Walser
2017-02-01 02:17:30 CET
David Walser
2017-02-01 02:17:47 CET
Whiteboard:
(none) =>
MGA5TOO One more issue: http://openwall.com/lists/oss-security/2017/02/01/3 (In reply to David Walser from comment #1) > One more issue: > http://openwall.com/lists/oss-security/2017/02/01/3 CVE-2017-5851: http://openwall.com/lists/oss-security/2017/02/02/8 Summary:
mp3splt new security issues CVE-2017-566[56] =>
mp3splt new security issues CVE-2017-566[56] and CVE-2017-5851
Nicolas Lécureuil
2017-04-25 15:32:05 CEST
CVE:
(none) =>
CVE-2017-5665 CVE-2017-5666 CVE-2017-5851 Had a quick look, as of today nobody seems to have cared enough to produce patches for those issues. Upstream bug report: https://sourceforge.net/p/mp3splt/bugs/209/ Like Jonas Meurer commented there, some of the PoCs seem not to trigger the issue in our version: * [GOOD] https://blogs.gentoo.org/ago/2017/01/29/mp3splt-null-pointer-dereference-in-main-mp3splt-c/ mp3splt -P -f -t 0.1 -a 00128-mp3splt-nullptr-main mp3splt 2.6.2 (09/11/14) - using libmp3splt 0.9.2 Matteo Trotta <mtrotta AT users.sourceforge.net> Alexandru Munteanu <m AT ioalex.net> THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK! Pretending to split file '00128-mp3splt-nullptr-main' ... error: no plugin matches the file '00128-mp3splt-nullptr-main' * [BAD] https://blogs.gentoo.org/ago/2017/01/29/mp3splt-null-pointer-dereference-in-splt_cue_export_to_file-cue-c/ $ mp3splt -P -f -t 0.1 -a 00129-mp3splt-nullptr-splt_cue_export_to_file mp3splt 2.6.2 (09/11/14) - using libmp3splt 0.9.2 Matteo Trotta <mtrotta AT users.sourceforge.net> Alexandru Munteanu <m AT ioalex.net> THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK! Pretending to split file '00129-mp3splt-nullptr-splt_cue_export_to_file' ... mp3splt: layer3.c:2633: mad_layer_III: Assertion `stream->md_len + md_len - si.main_data_begin <= (511 + 2048 + 8)' failed. Abandon (core dumped) * [BAD] https://blogs.gentoo.org/ago/2017/01/29/mp3splt-invalid-free-in-free_options-options_manager-c/ $ mp3splt -P -f -t 0.1 -a ~/00130-mp3splt-badfree-free_options mp3splt 2.6.2 (09/11/14) - using libmp3splt 0.9.2 Matteo Trotta <mtrotta AT users.sourceforge.net> Alexandru Munteanu <m AT ioalex.net> THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK! Pretending to split file '/home/akien/Téléchargements/00130-mp3splt-badfree-free_options' ... mp3splt: layer3.c:2633: mad_layer_III: Assertion `stream->md_len + md_len - si.main_data_begin <= (511 + 2048 + 8)' failed. Abandon (core dumped)
Rémi Verschelde
2017-06-05 21:40:21 CEST
Status comment:
(none) =>
No upstream or downstream patches available as of early June 2017 It's a leaf package so we could possibly consider dropping it for Mageia 6 if those security issues don't get fixed. At the same time, those security issues seem pretty minor to me, and I don't think we put our users too much at risk by keeping the package unpatched for now. Dropped from Mageia 6. Whiteboard:
MGA5TOO =>
(none) Security issues do seem minor, and this appears to have gone nowhere upstream. Resolution:
(none) =>
OLD |