Gentoo Archives: gentoo-announce

From: ajak@g.o
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 202107-18 ] BladeEnc: Buffer overflow
Date: Thu, 08 Jul 2021 04:02:18
Message-Id: YOZ1X7Iu1GHj5BS2@sol.nexus.lan
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 202107-18
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: BladeEnc: Buffer overflow
9 Date: July 08, 2021
10 Bugs: #631394
11 ID: 202107-18
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A buffer overflow in BladeEnc might allow arbitrary code execution.
19
20 Background
21 ==========
22
23 BladeEnc is an mp3 encoder.
24
25 Affected packages
26 =================
27
28 -------------------------------------------------------------------
29 Package / Vulnerable / Unaffected
30 -------------------------------------------------------------------
31 1 media-sound/bladeenc < 0.94.2-r1 Vulnerable!
32 -------------------------------------------------------------------
33 NOTE: Certain packages are still vulnerable. Users should migrate
34 to another package if one is available or wait for the
35 existing packages to be marked stable by their
36 architecture maintainers.
37
38 Description
39 ===========
40
41 A crafted file could cause a buffer overflow in the iteration_loop
42 function in BladeEnc.
43
44 Impact
45 ======
46
47 A remote attacker could entice a user to open a specially crafted using
48 BladeEnc, possibly resulting in execution of arbitrary code with the
49 privileges of the process or a Denial of Service condition.
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time.
55
56 Resolution
57 ==========
58
59 Gentoo has discontinued support for BladeEnc. We recommend that users
60 unmerge ssvnc:
61
62 # emerge --ask --depclean "media-sound/bladeenc"
63
64 NOTE: The Gentoo developer(s) maintaining BladeEnc have discontinued
65 support at this time. It may be possible that a new Gentoo developer
66 will update BladeEnc at a later date. We do not have a suggestion for a
67 replacement at this time.
68
69 References
70 ==========
71
72 [ 1 ] CVE-2017-14648
73 https://nvd.nist.gov/vuln/detail/CVE-2017-14648
74
75 Availability
76 ============
77
78 This GLSA and any updates to it are available for viewing at
79 the Gentoo Security Website:
80
81 https://security.gentoo.org/glsa/202107-18
82
83 Concerns?
84 =========
85
86 Security is a primary focus of Gentoo Linux and ensuring the
87 confidentiality and security of our users' machines is of utmost
88 importance to us. Any security concerns should be addressed to
89 security@g.o or alternatively, you may file a bug at
90 https://bugs.gentoo.org.
91
92 License
93 =======
94
95 Copyright 2021 Gentoo Foundation, Inc; referenced text
96 belongs to its owner(s).
97
98 The contents of this document are licensed under the
99 Creative Commons - Attribution / Share Alike license.
100
101 https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature