312 lines
14 KiB
JSON
312 lines
14 KiB
JSON
{
|
||
"Definition": [
|
||
{
|
||
"ID": "oval:org.altlinux.errata:def:20181793",
|
||
"Version": "oval:org.altlinux.errata:def:20181793",
|
||
"Class": "patch",
|
||
"Metadata": {
|
||
"Title": "ALT-PU-2018-1793: package `lame` update to version 3.100-alt1",
|
||
"AffectedList": [
|
||
{
|
||
"Family": "unix",
|
||
"Platforms": [
|
||
"ALT Linux branch c9f2"
|
||
],
|
||
"Products": [
|
||
"ALT SPWorkstation",
|
||
"ALT SPServer"
|
||
]
|
||
}
|
||
],
|
||
"References": [
|
||
{
|
||
"RefID": "ALT-PU-2018-1793",
|
||
"RefURL": "https://errata.altlinux.org/ALT-PU-2018-1793",
|
||
"Source": "ALTPU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2019-01637",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2019-01637",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "CVE-2015-9099",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2015-9099",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2015-9100",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2015-9100",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2015-9101",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2015-9101",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-11720",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-11720",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-13712",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-13712",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-15018",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-15018",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-15019",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-15019",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-15045",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-15045",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-15046",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-15046",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-8419",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-8419",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-9412",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-9412",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-9869",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-9869",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-9870",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-9870",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-9871",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-9871",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2017-9872",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-9872",
|
||
"Source": "CVE"
|
||
}
|
||
],
|
||
"Description": "This update upgrades lame to version 3.100-alt1. \nSecurity Fix(es):\n\n * BDU:2019-01637: Уязвимость функции III_Afficantize_sample приложения для кодирования аудио LAME, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2015-9099: The lame_init_params function in lame.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file with a negative sample rate.\n\n * CVE-2015-9100: The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted audio file.\n\n * CVE-2015-9101: The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3.98.4, 3.98.2, 3.98, 3.99, 3.99.1, 3.99.2, 3.99.3, 3.99.4 and 3.99.5 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file.\n\n * CVE-2017-11720: There is a division-by-zero vulnerability in LAME 3.99.5, caused by a malformed input file.\n\n * CVE-2017-13712: NULL Pointer Dereference in the id3v2AddAudioDuration function in libmp3lame/id3tag.c in LAME 3.99.5 allows attackers to perform Denial of Service by triggering a NULL first argument.\n\n * CVE-2017-15018: LAME 3.99.5, 3.99.4, 3.99.3, 3.99.2, 3.99.1, 3.99, 3.98.4, 3.98.2 and 3.98 have a heap-based buffer over-read when handling a malformed file in k_34_4 in vbrquantize.c.\n\n * CVE-2017-15019: LAME 3.99.5 has a NULL Pointer Dereference in the hip_decode_init function within libmp3lame/mpglib_interface.c via a malformed mpg file, because of an incorrect calloc call.\n\n * CVE-2017-15045: LAME 3.99, 3.99.1, 3.99.2, 3.99.3, 3.99.4, 3.99.5, 3.98.4, 3.98.2 and 3.98 has a heap-based buffer over-read in fill_buffer in libmp3lame/util.c, related to lame_encode_buffer_sample_t in libmp3lame/lame.c, a different vulnerability than CVE-2017-9410.\n\n * CVE-2017-15046: LAME 3.99.5, 3.99.4, 3.98.4, 3.98.2, 3.98 and 3.97 have a stack-based buffer overflow in unpack_read_samples in frontend/get_audio.c, a different vulnerability than CVE-2017-9412.\n\n * CVE-2017-8419: LAME through 3.99.5 relies on the signed integer data type for values in a WAV or AIFF header, which allows remote attackers to cause a denial of service (stack-based buffer overflow or heap-based buffer overflow) or possibly have unspecified other impact via a crafted file, as demonstrated by mishandling of num_channels.\n\n * CVE-2017-9412: The unpack_read_samples function in frontend/get_audio.c in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted wav file.\n\n * CVE-2017-9869: The II_step_one function in layer2.c in mpglib, as used in libmpgdecoder.a in LAME 3.99.5 and other products, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file.\n\n * CVE-2017-9870: The III_i_stereo function in layer3.c in mpglib, as used in libmpgdecoder.a in LAME 3.99.5 and other products, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file that is mishandled in the code for the \"block_type == 2\" case, a similar issue to CVE-2017-11126.\n\n * CVE-2017-9871: The III_i_stereo function in layer3.c in mpglib, as used in libmpgdecoder.a in LAME 3.99.5 and other products, allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file.\n\n * CVE-2017-9872: The III_dequantize_sample function in layer3.c in mpglib, as used in libmpgdecoder.a in LAME 3.99.5 and other products, allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file.\n\n * #34938: lame: new version",
|
||
"Advisory": {
|
||
"From": "errata.altlinux.org",
|
||
"Severity": "Critical",
|
||
"Rights": "Copyright 2024 BaseALT Ltd.",
|
||
"Issued": {
|
||
"Date": "2018-05-24"
|
||
},
|
||
"Updated": {
|
||
"Date": "2018-05-24"
|
||
},
|
||
"BDUs": [
|
||
{
|
||
"ID": "BDU:2019-01637",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
||
"CVSS3": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-119",
|
||
"Href": "https://bdu.fstec.ru/vul/2019-01637",
|
||
"Impact": "High",
|
||
"Public": "20170608"
|
||
}
|
||
],
|
||
"CVEs": [
|
||
{
|
||
"ID": "CVE-2015-9099",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-125",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2015-9099",
|
||
"Impact": "Low",
|
||
"Public": "20170625"
|
||
},
|
||
{
|
||
"ID": "CVE-2015-9100",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-476",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2015-9100",
|
||
"Impact": "Low",
|
||
"Public": "20170625"
|
||
},
|
||
{
|
||
"ID": "CVE-2015-9101",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-119",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2015-9101",
|
||
"Impact": "Low",
|
||
"Public": "20170625"
|
||
},
|
||
{
|
||
"ID": "CVE-2017-11720",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
||
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-369",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-11720",
|
||
"Impact": "Critical",
|
||
"Public": "20170728"
|
||
},
|
||
{
|
||
"ID": "CVE-2017-13712",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-476",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-13712",
|
||
"Impact": "High",
|
||
"Public": "20170828"
|
||
},
|
||
{
|
||
"ID": "CVE-2017-15018",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-125",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-15018",
|
||
"Impact": "Low",
|
||
"Public": "20171005"
|
||
},
|
||
{
|
||
"ID": "CVE-2017-15019",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
||
"CVSS3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-476",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-15019",
|
||
"Impact": "High",
|
||
"Public": "20171005"
|
||
},
|
||
{
|
||
"ID": "CVE-2017-15045",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-125",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-15045",
|
||
"Impact": "Low",
|
||
"Public": "20171006"
|
||
},
|
||
{
|
||
"ID": "CVE-2017-15046",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-119",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-15046",
|
||
"Impact": "Low",
|
||
"Public": "20171006"
|
||
},
|
||
{
|
||
"ID": "CVE-2017-8419",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
||
"CVSS3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-119",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-8419",
|
||
"Impact": "High",
|
||
"Public": "20170502"
|
||
},
|
||
{
|
||
"ID": "CVE-2017-9412",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-119",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-9412",
|
||
"Impact": "Low",
|
||
"Public": "20170727"
|
||
},
|
||
{
|
||
"ID": "CVE-2017-9869",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-125",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-9869",
|
||
"Impact": "Low",
|
||
"Public": "20170625"
|
||
},
|
||
{
|
||
"ID": "CVE-2017-9870",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-125",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-9870",
|
||
"Impact": "Low",
|
||
"Public": "20170625"
|
||
},
|
||
{
|
||
"ID": "CVE-2017-9871",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
||
"CVSS3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-119",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-9871",
|
||
"Impact": "High",
|
||
"Public": "20170625"
|
||
},
|
||
{
|
||
"ID": "CVE-2017-9872",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
||
"CVSS3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
|
||
"CWE": "CWE-119",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-9872",
|
||
"Impact": "High",
|
||
"Public": "20170625"
|
||
}
|
||
],
|
||
"Bugzilla": [
|
||
{
|
||
"ID": "34938",
|
||
"Href": "https://bugzilla.altlinux.org/34938",
|
||
"Data": "lame: new version"
|
||
}
|
||
],
|
||
"AffectedCPEs": {
|
||
"CPEs": [
|
||
"cpe:/o:alt:spworkstation:8.4",
|
||
"cpe:/o:alt:spserver:8.4"
|
||
]
|
||
}
|
||
}
|
||
},
|
||
"Criteria": {
|
||
"Operator": "AND",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:4001",
|
||
"Comment": "ALT Linux must be installed"
|
||
}
|
||
],
|
||
"Criterias": [
|
||
{
|
||
"Operator": "OR",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20181793001",
|
||
"Comment": "lame is earlier than 0:3.100-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20181793002",
|
||
"Comment": "liblame is earlier than 0:3.100-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20181793003",
|
||
"Comment": "liblame-devel is earlier than 0:3.100-alt1"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
} |