Univention Bugzilla – Bug 46963
libmad: Multiple issues (4.2)
Last modified: 2018-05-08 14:57:13 CEST
New Debian libmad 0.15.1b-8+deb8u1 fixes: This update addresses the following issues: * The mad_layer_III function in layer3.c, if NDEBUG is omitted, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted audio file. (CVE-2017-8372) * The mad_layer_III function in layer3.c allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file. (CVE-2017-8373) * The mad_bit_skip function in bit.c allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file. (CVE-2017-8374) The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b, if NDEBUG is omitted, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted audio file. The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file. The mad_bit_skip function in bit.c in Underbit MAD libmad 0.15.1b allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file.
--- mirror/ftp/4.2/unmaintained/4.2-0/source/libmad_0.15.1b-8.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/libmad_0.15.1b-8+deb8u1.dsc @@ -1,3 +1,15 @@ +0.15.1b-8+deb8u1 [Tue, 01 May 2018 13:20:28 +0200] Kurt Roeckx <kurt@roeckx.be>: + + * Properly check the size of the main data. The previous patch + only checked that it could fit in the buffer, but didn't ensure there + was actually enough room free in the buffer. This was assigned both + CVE-2017-8372 and CVE-2017-8373, but they are really the same, just a + different way to detect it. (Closes: #287519) + * Rewrite patch to check the size of buffer. It now checks it before reading + it instead of afterwards checking that we did read too much. This now also + covers parsing the frame and layer3, not just layer 1 and 2. This was + original reported in #508133. CVE-2017-8374 mentions a case in layer 3. + 0.15.1b-8 [Mon, 20 May 2013 18:02:18 +0200] Kurt Roeckx <kurt@roeckx.be>: * Add multiarch support. (Closes: #653676)
* No UCS specific patches * Comparison to previously and next shipped version ok * Installation Ok * Advisory Ok
<http://errata.software-univention.de/ucs/4.2/347.html>