CVE-2017-15953 bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to a heap-based buffer overflow and crash when processing a malformed CUE (.cue) file. https://github.com/extramaster/bchunk/issues/2 CVE-2017-15954 bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to a heap-based buffer overflow (with a resultant invalid free) and crash when processing a malformed CUE (.cue) file. https://github.com/extramaster/bchunk/issues/3 CVE-2017-15955 bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to an "Access violation near NULL on destination operand" and crash when processing a malformed CUE (.cue) file. https://github.com/extramaster/bchunk/issues/4
Created bchunk tracking bugs for this issue: Affects: fedora-all [bug 1507577]
I've patched vulnerabilities. Thanks to Wen Bin for reporting this! https://github.com/NixOS/nixpkgs/blob/7d04f9f8fdf22071f422ba8563d47b9ca04c518c/pkgs/tools/cd-dvd/bchunk/CVE-2017-15953.patch https://github.com/NixOS/nixpkgs/blob/7d04f9f8fdf22071f422ba8563d47b9ca04c518c/pkgs/tools/cd-dvd/bchunk/CVE-2017-15955.patch
Thanks for handling this.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.