Bug 1141435 (CVE-2019-1010011)

Summary: VUL-1: CVE-2019-1010011: abcm2ps: stack-based buffer overflow in functions get_key (parse.c) and delayed_output (music.c)
Product: [openSUSE] openSUSE Distribution Reporter: Alexander Bergmann <abergmann>
Component: OtherAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low    
Version: Leap 15.1   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/237128/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2019-07-15 08:40:49 UTC 
CVE-2019-1010011

moinejf abcm2ps 8.13.16 and after is affected by: CWE-121: Stack-based Buffer
Overflow. The impact is: This vulnerability allows remote attackers to cause a
denial of service via a crafted file. The component is: parse.c / function:
get_key and music.c/ function: delayed_output.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010011
https://drive.google.com/drive/folders/1xiVrcB1lTE_mSd_mL7akjpscH4CUahYU?usp=sharing
https://drive.google.com/drive/folders/1nAL-B_I5Y7SKX0AeIurGkTzNHMazoyzP?usp=sharing
Comment 1 Michael Vetter 2019-07-18 13:07:32 UTC 
We are not affected by this.

It seems CVE-2019-1010011 is just a duplicate of already existing CVEs.

CVE-2018-10771: https://github.com/leesavide/abcm2ps/commit/dc0372993674d0b50fedfbf7b9fad1239b8efc5f
contained in releases since v8.13.21.

CVE-2018-10753: https://github.com/leesavide/abcm2ps/commit/fd956e19f88ee32f8ec4aece5901400b06e80bcc
contained in releases since v8.13.21

Also see upstream issue https://github.com/leesavide/abcm2ps/issues/55