FS#68042 - [libass][security] buffer overflow

Attached to Project: Arch Linux
Opened by T.J. Townsend (blakkheim) - Tuesday, 29 September 2020, 18:59 GMT
Last edited by Maxime Gauduin (Alucryd) - Tuesday, 27 October 2020, 13:29 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Maxime Gauduin (Alucryd)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


The libass package is currently vulnerable to a buffer overflow bug. Upstream has not made a new release since 2017. Switching to a git clone with the fix(es) may be needed.

Additional info:
This task depends upon

Closed by  Maxime Gauduin (Alucryd)
Tuesday, 27 October 2020, 13:29 GMT
Reason for closing:  Fixed
Additional comments about closing:  0.15.0
Comment by T.J. Townsend (blakkheim) - Tuesday, 29 September 2020, 19:18 GMT
Attached diff switches the PKGBUILD to the git commit with the fix.

I'm unsure whether pkgrel needs a bump when the version is appended with git stuff, so feel free to change that line if not.

It passes a built test here.
Comment by loqs (loqs) - Tuesday, 29 September 2020, 21:27 GMT
mysta have you considered using [1] instead as the pinned commit. As it was when the lib version was last updated.
The fix [2] applies cleanly to it but has not been merged. Do any of the packages depending on it need patches for compatibility?
For instance the srt update broke building ffmpeg and vlc and aegisub is still broken from the ffms2 update.

[1] https://github.com/libass/libass/commit/e5140624ff739c3157929bc5e1a1007cdc9cdaa8
[2] https://github.com/libass/libass/commit/dfb0d9c8afecf5d27b571113d1d48dc993a3760f
Comment by T.J. Townsend (blakkheim) - Thursday, 08 October 2020, 21:34 GMT Comment by Maxime Gauduin (Alucryd) - Friday, 16 October 2020, 07:58 GMT
A 0.15.0 release is on the way, will wait for that.
Comment by T.J. Townsend (blakkheim) - Friday, 16 October 2020, 16:29 GMT
This has apparently been assigned CVE-2020-26682.
Comment by T.J. Townsend (blakkheim) - Tuesday, 27 October 2020, 12:43 GMT