FS#74960 - [libmad] [security] CVE-2017-8372, 8373, 8374

Attached to Project: Arch Linux
Opened by T.J. Townsend (blakkheim) - Saturday, 04 June 2022, 22:16 GMT
Last edited by Christian Hesse (eworm) - Friday, 17 February 2023, 21:09 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Felix Yan (felixonmars)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


The libmad package is currently vulnerable to CVE-2017-8372, CVE-2017-8373, and CVE-2017-8374.

Additional info:
Upstream is long dead. Some fixes can be added from https://sources.debian.org/src/libmad/0.15.1b-10/debian/patches/
This task depends upon

Closed by  Christian Hesse (eworm)
Friday, 17 February 2023, 21:09 GMT
Reason for closing:  Fixed
Additional comments about closing:  libmad 0.15.1b-10
Comment by Tommy Zhang (T-J-M) - Sunday, 05 June 2022, 03:26 GMT
Thanks for reporting. Temporally removed it from my systems.
Comment by loqs (loqs) - Sunday, 05 June 2022, 09:33 GMT
@mysta please take a look at the attached diff.

libmad-md_size.diff ( CVE-2017-8372 CVE-2017-8373 ) and libmad-length-check.patch ( CVE-2017-8374) from Debian replaces frame_length.diff
libmad-0.15.1b-gcc43.patch is from Suse and stops configure filtering CFLAGS replaces optimize.diff
libmad.patch renamed to libmad-pkgconfig.patch
amd64-64bit.diff renamed to libmad-amd64-64bit.diff

Removed CFLAGS="$CFLAGS -ftree-vectorize -ftree-vectorizer-verbose=1" which had no effect due to configure filtering CFLAGS.
Comment by T.J. Townsend (blakkheim) - Sunday, 24 July 2022, 22:19 GMT
This still hasn't even been assigned to anyone... :/
Comment by T.J. Townsend (blakkheim) - Friday, 19 August 2022, 19:45 GMT
Comment by Siegfried Metz (NiceGuy) - Tuesday, 06 September 2022, 21:54 GMT
Thanks for your security efforts guys. Gotta add it to my own repo. Much appreciated.
Comment by T.J. Townsend (blakkheim) - Wednesday, 12 October 2022, 16:53 GMT
Worth mentioning is that there's a fork of libmad that integrates the patches from Debian and Fedora: https://github.com/tenacityteam/libmad/commits/main