Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#57601 - [libid3tag] multiple cves

Attached to Project: Arch Linux
Opened by Karol Babioch (kbabioch) - Wednesday, 21 February 2018, 22:15 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 21 February 2018, 23:19 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

CVEs in libid3tag:

- CVE-2004-2779 (already fixed?)
- CVE-2008-2109 (already fixed?)
- CVE-2017-11550
- CVE-2017-11551

Used by several high-profile applications: audacity, minidlna, mpd, easytag

Upstream is dead. All of them are fixed by the following two patches from Debian:
https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch/
https://sources.debian.org/patches/libid3tag/0.15.1b-13/11_unknown_encoding.dpatch/

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2779
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2109
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11550
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11551
This task depends upon

Closed by  Doug Newgard (Scimmia)
Wednesday, 21 February 2018, 23:19 GMT
Reason for closing:  Not a bug
Comment by Karol Babioch (kbabioch) - Wednesday, 21 February 2018, 22:19 GMT
Looking at the PKGBUILD we apply the following patches:

10_utf16.diff
11_unknown_encoding.diff
CVE-2008-2109.patch

These were probably taken from the Debian package (https://sources.debian.org/patches/libid3tag/0.15.1b-13/). They fix all of the above issues. 11_unknown_encoding.diff also fixes CVE-2008-2109 in another way than CVE-2008-2109.patch, so this could probably be dropped. It was an initial patch, which has not been merged upstream, is no longer needed and has been dropped from the Debian package.

Loading...