Bugzilla – Bug 1002982
VUL-0: CVE-2016-7969, CVE-2016-7970, CVE-2016-7971, CVE-2016-7972: libass: multiple memory management issues
Last modified: 2017-10-26 07:20:58 UTC
CVE-2016-7969: In wrap_lines_smart() https://github.com/libass/libass/pull/240/commits/b72b283b936a600c730e00875d7d067bded3fc26 CVE-2016-7971: A huge memory allocation leading to a crash that wasn't fixed because a good solution is unavailable at the moment. CVE-2016-7972: In check_allocations() https://github.com/libass/libass/pull/240/commits/aa54e0b59200a994d50a346b5d7ac818ebcf2d4b References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7971 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7969 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7972 http://seclists.org/oss-sec/2016/q4/24
Oky, lets wait for the 2nd CVE then I put the latest version to factory at least for now. Also it seems like they don't plan to fix the DOS issue anytime soon given the comments?
This is an autogenerated message for OBS integration: This bug (1002982) was mentioned in https://build.opensuse.org/request/show/433292 13.2 / libass https://build.opensuse.org/request/show/433294 42.1 / libass https://build.opensuse.org/request/show/433295 42.2 / libass https://build.opensuse.org/request/show/433296 Factory / libass
This is an autogenerated message for OBS integration: This bug (1002982) was mentioned in https://build.opensuse.org/request/show/433343 42.2 / libass
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (1002982) was mentioned in https://build.opensuse.org/request/show/433791 Factory / libass
Also we have in there: * Fix illegal read in Gaussian blur coefficient calculations. (CVE-2016-7970) Still no fix for 7971.
(In reply to Tomáš Chvátal from comment #6) > Also we have in there: > * Fix illegal read in Gaussian blur coefficient calculations. > (CVE-2016-7970) https://github.com/libass/libass/commit/08e754612019ed84d1db0d1fc4f5798248decd75 fixed in 0.13.4 > Still no fix for 7971. Regarding CVE-2016-7971, from http://seclists.org/oss-sec/2016/q4/299 > The MITRE CVE team has no current plans to reject this CVE. > [...] > Even if neither the upstream vendor nor any Linux distribution will > ever make any code change for CVE-2016-7971, discussion of the issue > can help with understanding the product's behavior. > [...] > The MITRE CVE team is willing to mark a CVE with "DISPUTED" if someone > believes that it's based solely on an "AddressSanitizer failed to > allocate ... bytes of LargeMmapAllocator" misinterpretation, and > believes that it cannot have any relevance to risk management. Not fixing CVE-2016-7971: Does not really affect us, not using ASAN.
This is an autogenerated message for OBS integration: This bug (1002982) was mentioned in https://build.opensuse.org/request/show/443692 42.1 / libass https://build.opensuse.org/request/show/443693 13.2 / libass
All submissions done with CVE's as applicable for various codestreams.
openSUSE-SU-2016:3087-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1002982 CVE References: CVE-2016-7969,CVE-2016-7972 Sources used: openSUSE Leap 42.1 (src): libass-0.12.3-6.1 openSUSE 13.2 (src): libass-0.12.1-2.8.1
SUSE-SU-2016:3107-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1002982 CVE References: CVE-2016-7969,CVE-2016-7970,CVE-2016-7971,CVE-2016-7972 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libass-0.10.2-3.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): libass-0.10.2-3.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): libass-0.10.2-3.1 SUSE Linux Enterprise Server 12-SP2 (src): libass-0.10.2-3.1 SUSE Linux Enterprise Server 12-SP1 (src): libass-0.10.2-3.1 SUSE Linux Enterprise Desktop 12-SP2 (src): libass-0.10.2-3.1 SUSE Linux Enterprise Desktop 12-SP1 (src): libass-0.10.2-3.1
released