Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#74960 - [libmad] [security] CVE-2017-8372, 8373, 8374

Attached to Project: Arch Linux
Opened by mysta (mysta) - Saturday, 04 June 2022, 22:16 GMT
Task Type Bug Report
Category Packages: Extra
Status Unconfirmed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Description:
The libmad package is currently vulnerable to CVE-2017-8372, CVE-2017-8373, and CVE-2017-8374.

Additional info:
Upstream is long dead. Some fixes can be added from https://sources.debian.org/src/libmad/0.15.1b-10/debian/patches/
This task depends upon

Comment by Tommy Zhang (T-J-M) - Sunday, 05 June 2022, 03:26 GMT
Thanks for reporting. Temporally removed it from my systems.
Comment by loqs (loqs) - Sunday, 05 June 2022, 09:33 GMT
@mysta please take a look at the attached diff.

libmad-md_size.diff ( CVE-2017-8372 CVE-2017-8373 ) and libmad-length-check.patch ( CVE-2017-8374) from Debian replaces frame_length.diff
libmad-0.15.1b-gcc43.patch is from Suse and stops configure filtering CFLAGS replaces optimize.diff
libmad.patch renamed to libmad-pkgconfig.patch
amd64-64bit.diff renamed to libmad-amd64-64bit.diff

Removed CFLAGS="$CFLAGS -ftree-vectorize -ftree-vectorizer-verbose=1" which had no effect due to configure filtering CFLAGS.

Loading...