FS#54859 - [lame] [Security] denial of service (CVE-2017-98{69..72} CVE-2015-9101)

Attached to Project: Arch Linux
Opened by Pablo Lezaeta (Jristz) - Tuesday, 18 July 2017, 05:46 GMT
Last edited by Levente Polyak (anthraxx) - Thursday, 22 February 2018, 23:39 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Eric Belanger (Snowman)
Levente Polyak (anthraxx)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Summary
=======

The package lame is vulnerable to denial of service via CVE-2017-9872, CVE-2017-9871, CVE-2017-9870, CVE-2017-9869 and CVE-2015-9101.

Guidance
========
Holy Nightmare Moon, this package has not been touched since the GCC-5 rebuild! maybe start checking the https to-do too and improving a little the pkgbuild style in the meanwhile.

now lets check:
CVE-2015-9101 fixed with debian lame 3.99.5+repack1-3+deb7u1 from wheezy onward.
CVE-2017-9869 to 9072 debian show unfixed and the bug on the mailist show signs of no one care-


References
==========

https://security.archlinux.org/AVG-330
https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_dequantize_sample-layer3-c/
https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_i_stereo-layer3-c/
https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-iii_i_stereo-layer3-c/
https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-ii_step_one-layer2-c/
https://blogs.gentoo.org/ago/2017/06/17/lame-heap-based-buffer-overflow-in-fill_buffer_resample-util-c/
https://github.com/asarubbo/poc repository with poc for many CVEs including this.
This task depends upon

Closed by  Levente Polyak (anthraxx)
Thursday, 22 February 2018, 23:39 GMT
Reason for closing:  Fixed
Additional comments about closing:  3.100-1
Comment by loqs (loqs) - Sunday, 08 October 2017, 17:07 GMT
CVE-2015-9101.WHENCE details the steps to demonstrate the patch referenced is the correct patch for CVE-2015-9101.patch and fixed the POC that was provided for it.

There are patches available for some of the other CVE's but the POC's provided are rejected by the unpatched lame preventing validation.
Comment by loqs (loqs) - Sunday, 08 October 2017, 17:14 GMT
Fixed numbering of elements 7 to 9.
Comment by kikadf (kikadf) - Wednesday, 17 January 2018, 23:52 GMT
All CVE fixed in 3.100:

CVE-2015-9101 fixed on 2015-04-28: https://sourceforge.net/p/lame/svn/6320/
CVE-2017-9869 fixed on 2017-08-19: https://sourceforge.net/p/lame/svn/6372/
CVE-2017-9870, CVE-2017-9871 and CVE-2017-9872 fixed on 2017-08-18 and 2017-08-20:
https://sourceforge.net/p/lame/svn/6362/ and https://sourceforge.net/p/lame/svn/6365/

3.100 released on 2017-10-13.


Loading...