FS#54613 - [faad2] denial of service (CVE-2017-92((57..53)) CVE-2017-92((23..18)))

Attached to Project: Arch Linux
Opened by Santiago Torres (sangy) - Tuesday, 27 June 2017, 16:52 GMT
Last edited by Jan de Groot (JGC) - Tuesday, 15 August 2017, 09:24 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No



The package faad2 is vulnerable to denial of service via CVE-2017-9257, CVE-2017-9256, CVE-2017-9255, CVE-2017-9254, CVE-2017-9253, CVE-2017-9223, CVE-2017-9222, CVE-2017-9221, CVE-2017-9220, CVE-2017-9219 and CVE-2017-9218.


There doesn't seem to be an upstream release underway, so we will probably have to find and backport/write our own.


This task depends upon

Closed by  Jan de Groot (JGC)
Tuesday, 15 August 2017, 09:24 GMT
Reason for closing:  Fixed
Additional comments about closing:  This was fixed in 2.8.1-1.
Comment by Pablo Lezaeta (Jristz) - Tuesday, 18 July 2017, 05:30 GMT
Let's start with the fact that last upstream release on the official webpage was on 2009-02-10 like near 8 years ago so the first aproach will be check if either there is an active fork (debian sid show a faad2 2.8.1-1), the project have an active official repo and check from there first is exist any patch.

In the last case try to check if is possible to drop faad2 without loss the option to decode faad2 archives (another package provide the functionality?) to aleviate the acumulating issues.

Checking Debian bugtracker page point that no one of the CVE-2017 are fixed yet on 2.8.1-1, so look like or we find an active fork like debian or we drop it unless we are ok with this security hole- oh yea dont forget all the CVE-2017 listed here are remoteables.

Also you beat me since this bug was not showing on the Security tab on Arch page.