FS#54859 : [lame] [Security] denial of service (CVE-2017-98{69..72} CVE-2015-9101)

FS#54859 - [lame] [Security] denial of service (CVE-2017-98{69..72} CVE-2015-9101)

Attached to Project: Arch Linux
Opened by Pablo Lezaeta (Jristz) - Tuesday, 18 July 2017, 05:46 GMT
Last edited by Levente Polyak (anthraxx) - Thursday, 22 February 2018, 23:39 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Eric Belanger (Snowman) Levente Polyak (anthraxx)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Summary
=======

The package lame is vulnerable to denial of service via CVE-2017-9872, CVE-2017-9871, CVE-2017-9870, CVE-2017-9869 and CVE-2015-9101.

Guidance
========
Holy Nightmare Moon, this package has not been touched since the GCC-5 rebuild! maybe start checking the https to-do too and improving a little the pkgbuild style in the meanwhile.

now lets check:
CVE-2015-9101 fixed with debian lame 3.99.5+repack1-3+deb7u1 from wheezy onward.
CVE-2017-9869 to 9072 debian show unfixed and the bug on the mailist show signs of no one care-

References
==========

https://security.archlinux.org/AVG-330
https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_dequantize_sample-layer3-c/
https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_i_stereo-layer3-c/
https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-iii_i_stereo-layer3-c/
https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-ii_step_one-layer2-c/
https://blogs.gentoo.org/ago/2017/06/17/lame-heap-based-buffer-overflow-in-fill_buffer_resample-util-c/
https://github.com/asarubbo/poc repository with poc for many CVEs including this.

This task depends upon

Closed by Levente Polyak (anthraxx)
Thursday, 22 February 2018, 23:39 GMT
Reason for closing: Fixed
Additional comments about closing: 3.100-1

Comment by loqs (loqs) - Sunday, 08 October 2017, 17:07 GMT

CVE-2015-9101.WHENCE details the steps to demonstrate the patch referenced is the correct patch for CVE-2015-9101.patch and fixed the POC that was provided for it.

There are patches available for some of the other CVE's but the POC's provided are rejected by the unpatched lame preventing validation.

lame.CVE-2015-9101.patch (2.1 KiB)

CVE-2015-9101.WHENCE (1 KiB)

Comment by loqs (loqs) - Sunday, 08 October 2017, 17:14 GMT

Fixed numbering of elements 7 to 9.

CVE-2015-9101.WHENCE (1 KiB)

Comment by kikadf (kikadf) - Wednesday, 17 January 2018, 23:52 GMT

All CVE fixed in 3.100:

CVE-2015-9101 fixed on 2015-04-28: https://sourceforge.net/p/lame/svn/6320/
CVE-2017-9869 fixed on 2017-08-19: https://sourceforge.net/p/lame/svn/6372/
CVE-2017-9870, CVE-2017-9871 and CVE-2017-9872 fixed on 2017-08-18 and 2017-08-20:
https://sourceforge.net/p/lame/svn/6362/ and https://sourceforge.net/p/lame/svn/6365/

3.100 released on 2017-10-13.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#54859 - [lame] [Security] denial of service (CVE-2017-98{69..72} CVE-2015-9101)

Details

Loading...