Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#68042 - [libass][security] buffer overflow

Attached to Project: Arch Linux
Opened by mysta (mysta) - Tuesday, 29 September 2020, 18:59 GMT
Last edited by freswa (frederik) - Tuesday, 29 September 2020, 19:17 GMT
Task Type Bug Report
Category Packages: Extra
Status Assigned
Assigned To Maxime Gauduin (Alucryd)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Description:
The libass package is currently vulnerable to a buffer overflow bug. Upstream has not made a new release since 2017. Switching to a git clone with the fix(es) may be needed.

Additional info:
https://github.com/libass/libass/issues/431
https://github.com/libass/libass/pull/432
https://github.com/libass/libass/commit/dfb0d9c8afecf5d27b571113d1d48dc993a3760f
This task depends upon

Comment by mysta (mysta) - Tuesday, 29 September 2020, 19:18 GMT
Attached diff switches the PKGBUILD to the git commit with the fix.

I'm unsure whether pkgrel needs a bump when the version is appended with git stuff, so feel free to change that line if not.

It passes a built test here.
Comment by loqs (loqs) - Tuesday, 29 September 2020, 21:27 GMT
mysta have you considered using [1] instead as the pinned commit. As it was when the lib version was last updated.
The fix [2] applies cleanly to it but has not been merged. Do any of the packages depending on it need patches for compatibility?
For instance the srt update broke building ffmpeg and vlc and aegisub is still broken from the ffms2 update.

[1] https://github.com/libass/libass/commit/e5140624ff739c3157929bc5e1a1007cdc9cdaa8
[2] https://github.com/libass/libass/commit/dfb0d9c8afecf5d27b571113d1d48dc993a3760f
Comment by mysta (mysta) - Thursday, 08 October 2020, 21:34 GMT Comment by Maxime Gauduin (Alucryd) - Friday, 16 October 2020, 07:58 GMT
A 0.15.0 release is on the way, will wait for that.
Comment by mysta (mysta) - Friday, 16 October 2020, 16:29 GMT
This has apparently been assigned CVE-2020-26682.

Loading...