libgig: CVE-2017-12954

Debian Bug report logs - #877652
libgig: CVE-2017-12954

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: submit@bugs.debian.org

Subject: Multiple security issues (CVE-2017-12950 to CVE-2017-12954)

Date: Wed, 30 Aug 2017 14:46:41 +0200

Source: libgig
X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
Severity: grave
Tags: security

Hi,

the following vulnerabilities were published for libgig. See
http://seclists.org/fulldisclosure/2017/Aug/39 for the initial report
with reproducer files.

CVE-2017-12950[0]:
| The gig::Region::Region function in gig.cpp in libgig 4.0.0 allows
| remote attackers to cause a denial of service (NULL pointer
| dereference and application crash) via a crafted gig file.

CVE-2017-12951[1]:
| The gig::DimensionRegion::CreateVelocityTable function in gig.cpp in
| libgig 4.0.0 allows remote attackers to cause a denial of service
| (stack-based buffer over-read and application crash) via a crafted gig
| file.

CVE-2017-12952[2]:
| The LoadString function in helper.h in libgig 4.0.0 allows remote
| attackers to cause a denial of service (NULL pointer dereference and
| application crash) via a crafted gig file.

CVE-2017-12953[3]:
| The gig::Instrument::UpdateRegionKeyTable function in gig.cpp in
| libgig 4.0.0 allows remote attackers to cause a denial of service
| (invalid memory write and application crash) via a crafted gig file.

CVE-2017-12954[4]:
| The gig::Region::GetSampleFromWavePool function in gig.cpp in libgig
| 4.0.0 allows remote attackers to cause a denial of service (invalid
| memory read and application crash) via a crafted gig file.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12950
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12950
[1] https://security-tracker.debian.org/tracker/CVE-2017-12951
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12951
[2] https://security-tracker.debian.org/tracker/CVE-2017-12952
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12952
[3] https://security-tracker.debian.org/tracker/CVE-2017-12953
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12953
[4] https://security-tracker.debian.org/tracker/CVE-2017-12954
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12954

Please adjust the affected versions in the BTS as needed.


-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Message #10 received at 873718@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: cuse@users.sf.net

Cc: 873718@bugs.debian.org

Subject: Fixes for security vulnerabilities on libgig?

Date: Wed, 30 Aug 2017 15:09:39 +0200

[ Copy to the Debian bugtracker ]

Hello Christian,

a few security issues have been reported against libgig:
http://seclists.org/fulldisclosure/2017/Aug/39

The reproducer files are attached too:
http://seclists.org/fulldisclosure/2017/Aug/att-39/poc_zip.bin

I wanted to check that you were aware of those issues and if
you had any patch already. I could not find any bug tracker
with open issues so I'm writing to you directly. The subversion
repository has no recent history related to those issues either.

Thank you!
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Message #17 received at 873718@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Raphael Hertzog <hertzog@debian.org>, 873718@bugs.debian.org

Cc: cuse@users.sf.net

Subject: Re: Bug#873718: Fixes for security vulnerabilities on libgig?

Date: Wed, 30 Aug 2017 16:34:44 +0200

Hi

All, but not CVE-2017-12951 are probably fixed already with the
4.0.0-4 upload to unstable today.

Regards,
Salvatore

Message #22 received at 873718@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 873718@bugs.debian.org

Cc: Raphael Hertzog <hertzog@debian.org>, cuse@users.sf.net

Subject: Re: Bug#873718: Fixes for security vulnerabilities on libgig?

Date: Wed, 30 Aug 2017 16:43:48 +0200

On Wed, Aug 30, 2017 at 04:34:44PM +0200, Salvatore Bonaccorso wrote:
> Hi
> 
> All, but not CVE-2017-12951 are probably fixed already with the
> 4.0.0-4 upload to unstable today.

Might actually just uncover another problem after the fix.

Regards,
Salvatore

Message #29 received at 873718@bugs.debian.org (full text, mbox, reply):

From: Christian Schoenebeck <schoenebeck@linuxsampler.org>

To: Raphael Hertzog <hertzog@debian.org>

Cc: 873718@bugs.debian.org

Subject: Re: Fixes for security vulnerabilities on libgig?

Date: Wed, 30 Aug 2017 19:51:54 +0200

On Wednesday, August 30, 2017 15:09:39 Raphael Hertzog wrote:
> [ Copy to the Debian bugtracker ]
> 
> Hello Christian,

Hi Raphael,

> a few security issues have been reported against libgig:
> http://seclists.org/fulldisclosure/2017/Aug/39
> 
> The reproducer files are attached too:
> http://seclists.org/fulldisclosure/2017/Aug/att-39/poc_zip.bin
> 
> I wanted to check that you were aware of those issues and if
> you had any patch already. 

Thanks for letting me know. And no, I don't have any patch against those 
issues on my side yet. I see you already came up with some, so I will have a 
look at your patches.

> I could not find any bug tracker
> with open issues so I'm writing to you directly. The subversion
> repository has no recent history related to those issues either.

We do have a bug tracker:

	https://bugs.linuxsampler.org

However it currently does not accept new user (self)registrations, because we 
had to struggle with massive spam bot attacks on that tracker. So we decided 
to disable self-registrations for a while.

Thanks!

CU
Christian

Message #34 received at 873718@bugs.debian.org (full text, mbox, reply):

From: Christian Schoenebeck <schoenebeck@linuxsampler.org>

To: Raphael Hertzog <hertzog@debian.org>

Cc: 873718@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#873718: Fixes for security vulnerabilities on libgig?

Date: Tue, 03 Oct 2017 20:07:58 +0200

Hi there,

I just applied your patch regarding CVE-2017-12950, CVE-2017-12952 and 
CVE-2017-12953 for libgig on our side, in slightly modified form:

http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision&revision=3348

Additionally, the following 2 patches are yet missing on your side, as far as 
I can see it.

1. CVE-2017-12951:
http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision&revision=3349

2. CVE-2017-12954:
http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision&revision=3350

Thanks for your report!

Best regards,
Christian Schoenebeck

Message #43 received at 877652-submitter@bugs.debian.org (full text, mbox, reply):

From: Jaromír Mikeš <mira.mikes@seznam.cz>

To: 877652-submitter@bugs.debian.org

Subject: Bug#877652 marked as pending

Date: Fri, 13 Oct 2017 20:40:26 +0000

tag 877652 pending
thanks

Hello,

Bug #877652 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://anonscm.debian.org/git/pkg-multimedia/libgig.git/commit/?id=0e5b4cb

---
commit 0e5b4cb61757ef3ad7cb558dc2d4e07c5d2a3a59
Author: Jaromír Mikeš <mira.mikes@seznam.cz>
Date:   Fri Oct 13 22:24:47 2017 +0200

    Start new upload.

diff --git a/debian/changelog b/debian/changelog
index aceb127..6fc86e9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libgig (4.0.0-5) UNRELEASED; urgency=medium
+
+  * Add patch to fix CVE-2017-12951. (Closes: #877651)
+  * Add patch to fix CVE-2017-12954. (Closes: #877652)
+
+ -- Jaromír Mikeš <mira.mikes@seznam.cz>  Fri, 13 Oct 2017 22:24:30 +0200
+
 libgig (4.0.0-4) unstable; urgency=medium
 
   * debian/patches/CVE-2017-12952.diff: fix some crashes

Message #48 received at 877652-close@bugs.debian.org (full text, mbox, reply):

From: Jaromír Mikeš <mira.mikes@seznam.cz>

To: 877652-close@bugs.debian.org

Subject: Bug#877652: fixed in libgig 4.0.0-5

Date: Fri, 13 Oct 2017 21:43:44 +0000

Source: libgig
Source-Version: 4.0.0-5

We believe that the bug you reported is fixed in the latest version of
libgig, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 877652@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jaromír Mikeš <mira.mikes@seznam.cz> (supplier of updated libgig package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 13 Oct 2017 22:33:54 +0200
Source: libgig
Binary: libgig-dev libgig7 libakai0 gigtools libgig-doc
Architecture: source amd64 all
Version: 4.0.0-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Jaromír Mikeš <mira.mikes@seznam.cz>
Description:
 gigtools   - command line tools for Gigasampler and DLS Level 1/2 files
 libakai0   - library for loading and modifying akai files
 libgig-dev - development files for libgig
 libgig-doc - HTML documentation for libgig
 libgig7    - library for loading and modifying Gigasampler and DLS files
Closes: 877651 877652
Changes:
 libgig (4.0.0-5) unstable; urgency=medium
 .
   * Add patch to fix CVE-2017-12951. (Closes: #877651)
   * Add patch to fix CVE-2017-12954. (Closes: #877652)
   * Bump Standards.
   * Update Vcs to use git instead of cgit.
Checksums-Sha1:
 9f69fed43129a38aa8a4c5508c75bf2aa5a19a29 2362 libgig_4.0.0-5.dsc
 9b8b1bddbb3b972f49fd4e3d873220d4f9a224b9 12316 libgig_4.0.0-5.debian.tar.xz
 d7d0131cb90cfd9771faf65402e3c1f053c2ed7f 977094 gigtools-dbgsym_4.0.0-5_amd64.deb
 fd3768aa3f6c20af80a586aa5c5ed4a06954898b 113430 gigtools_4.0.0-5_amd64.deb
 89e710149f48103cceba75382619274f4e37bde2 94208 libakai0-dbgsym_4.0.0-5_amd64.deb
 5c1891fe084055b5a4465360fc82cbacf37d7fb8 21182 libakai0_4.0.0-5_amd64.deb
 820708795c3597dfb5cd25a055ed474a11bfa5e2 44138 libgig-dev_4.0.0-5_amd64.deb
 4ca45a97c1b2dfa17cadfcf550dc3c81c4e94fbc 569580 libgig-doc_4.0.0-5_all.deb
 397f5e24450b7f66016618b322898f3338e0f3f0 722476 libgig7-dbgsym_4.0.0-5_amd64.deb
 5fce3042d8fe584b1cfa4183a57b6bd3496ec8b1 109698 libgig7_4.0.0-5_amd64.deb
 c91ed06de0f29a575b0c2ffe38207cfe30413dde 7613 libgig_4.0.0-5_amd64.buildinfo
Checksums-Sha256:
 f2f8f52826c6c1c07f622488a4be9d011ea8429ed73041131f3525743da34dfc 2362 libgig_4.0.0-5.dsc
 342f327fede5c68896e430ea76d82d495859b3994e543ddd26a05c82d07b9bc5 12316 libgig_4.0.0-5.debian.tar.xz
 9fc442405d3dbb50de9777de4f77512967864d93186cf5edb963a46c169bc3f8 977094 gigtools-dbgsym_4.0.0-5_amd64.deb
 605665959b3c085e929dd8028df2e0320e9f4275560cc1de64c712c2799b6300 113430 gigtools_4.0.0-5_amd64.deb
 9baa08e74f18dc68a046d98ead40f9604333ebfb9dbfc1dd94389c99205d432e 94208 libakai0-dbgsym_4.0.0-5_amd64.deb
 37db40330fad0f01e1baee58112e841325eb1061617b93dc757f06bfbf410209 21182 libakai0_4.0.0-5_amd64.deb
 935975a56637ad59042a3550dcf1ad49ef6a38aa4988154d100e4f8b230d65ad 44138 libgig-dev_4.0.0-5_amd64.deb
 bc3e34194c42a2032be72dd735d9e4b124fc313e3d1499f13e5487258c55ecce 569580 libgig-doc_4.0.0-5_all.deb
 ebbffe2878693ebee29d983124443b75c7ab1d5fe42e32b918ef651dc9463a7f 722476 libgig7-dbgsym_4.0.0-5_amd64.deb
 e265ece4124502bdef15d0b578c221f96d598797e14e3e8aecf0a804cbf9a43e 109698 libgig7_4.0.0-5_amd64.deb
 7479487549d624229b53ac6b3df53729f8468767f9a3dde5913f64e229f56d62 7613 libgig_4.0.0-5_amd64.buildinfo
Files:
 0916f2e951a69814d1511f0e4bafe88b 2362 devel optional libgig_4.0.0-5.dsc
 2d6c30d5ccd04e59d8e6a0e38d4aa4f0 12316 devel optional libgig_4.0.0-5.debian.tar.xz
 765c70c998aeb9ffb2bd9df3be986b4e 977094 debug optional gigtools-dbgsym_4.0.0-5_amd64.deb
 5b6e5fe66a96c85c74dfc0c08da32e6f 113430 utils optional gigtools_4.0.0-5_amd64.deb
 524bb1b40f99aab0449bf7a147e7ef34 94208 debug optional libakai0-dbgsym_4.0.0-5_amd64.deb
 fc1eec2408ea46a470b160b826d2d47b 21182 libs optional libakai0_4.0.0-5_amd64.deb
 44646239aba1d01d73047ec8cbb05a37 44138 libdevel optional libgig-dev_4.0.0-5_amd64.deb
 2502a580a846e2ed72025e16e072a451 569580 doc optional libgig-doc_4.0.0-5_all.deb
 0d4930ba197e4ac9dbd5ea4788876f59 722476 debug optional libgig7-dbgsym_4.0.0-5_amd64.deb
 d731495008f30922812d302e6b8d0e2f 109698 libs optional libgig7_4.0.0-5_amd64.deb
 4dbe7b7819505aff7d09693bb14d4a26 7613 devel optional libgig_4.0.0-5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCgAzFiEESlQ1E9LfY1GoF46jWwGUVeK4T6UFAlnhJIkVHG1pcmEubWlr
ZXNAc2V6bmFtLmN6AAoJEFsBlFXiuE+lcCEP/i2LNpL3LnnAqnTQlQSkBGRGhXl9
Jj1uV5Bqj5LmBp8TWpSI9M5PdWP3XoGwXxYWc008S1o7PIzHhyqet47zy7MLNK43
OPhEIIcTksvCsYnc34RMd2rBg9JOFEJPeaQmXMg9RITppdbRY/RSz8z23UOImn81
HctUSWd+/0ZxtMRlEyrwOqvXVdQOH/J/XD88eaZ+/9CmX9LwAao63d5RXy3P7avc
82gNQp8fv/mk/yy9oDwLAK7Wg6er652dnESvtmCXqWJgL4Q32pyG+L8dQ5yWFHLM
G1atlggqCAyYSrC16icggCtTWPtPBzsrtpY3Od35CF5g/mhYSb/nnslpDqKyqDQX
H/rzY69w4iDVWYtEEHUAlmp6MUIsIg7+YG4HqeozTFafLHw4x4xu2A26+WA8eMU3
nDmX2fOFK3REPylKKMLVRzbQIFRbcf1aemygU8P26ze+GtHRvhTSsnkfqwQxSOiP
ve+xOpCjtK54QiPXxk1jSIGlTECUnQX/bhhW+6SpTjhOwJFdLJaW29mPt3UFCgqx
CoaJygVQy/G7OWihTPTxPHXsiYxv6zW+yKivhwTHc78z3+R7Hkxpcpud0vKXNk+c
EsyqWtLP5jawEcEOOSZpM5IiPsVvFhwsLKYbVtPs9buYw3SGoakClPNiBGXVUZiE
CTgbMdMyB6P/FvXV
=Vht0
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.