CVE-2015-9099 The lame_init_params function in lame.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file with a negative sample rate. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775959 CVE-2015-9100 The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted audio file. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777160 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777161
Created lame tracking bugs for this issue: Affects: epel-all [bug 1470201] Affects: fedora-all [bug 1470202]
Adding multiple vulnerabilities. CVE-2017-9410 The fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted wav file. CVE-2017-9411 The fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted wav file. CVE-2017-9412 The unpack_read_samples function in frontend/get_audio.c in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted wav file. References: http://seclists.org/fulldisclosure/2017/Jul/63
Adding one more. CVE-2017-11720 There is a division-by-zero vulnerability in LAME 3.99.5, caused by a malformed input file. https://sourceforge.net/p/lame/bugs/460/
Created attachment 1319324 [details] A patch is proposed for Lame 3.99.5 mp3 encoder with CVE ID: 2017-9411 Hello all, I proposed a patch for bug encountered in Lame version 3.99.5 which already has a CVE-ID: 2017-9411. Description: The fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted wav file. POC: lame_3.99.5_invalid_memory_read_1.wav CVE: CVE-2017-9411 Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42390.zip
CVE-2017-13712 NULL Pointer Dereference in the id3v2AddAudioDuration function in libmp3lame/id3tag.c in LAME 3.99.5 allows attackers to perform Denial of Service by triggering a NULL first argument. https://sourceforge.net/p/lame/bugs/472/
CVE-2017-15045 LAME 3.99.5 has a heap-based buffer over-read, a different vulnerability than CVE-2017-9410. https://sourceforge.net/p/lame/bugs/478/ CVE-2017-15046 LAME 3.99.5 has a stack-based buffer overflow, a different vulnerability than CVE-2017-9412. https://sourceforge.net/p/lame/bugs/479/
CVE-2017-15018 LAME 3.99.5 has a heap-based buffer over-read when handling a malformed file in k_34_4 in vbrquantize.c. https://sourceforge.net/p/lame/bugs/480/ CVE-2017-15019 LAME 3.99.5 has a NULL Pointer Dereference in the hip_decode_init function within libmp3lame/mpglib_interface.c via a malformed mpg file, because of an incorrect calloc call. https://sourceforge.net/p/lame/bugs/477/
CVE-2017-8419 LAME through 3.99.5 relies on the signed integer data type for values in a WAV or AIFF header, which allows remote attackers to cause a denial of service (stack-based buffer overflow or heap-based buffer overflow) or possibly have unspecified other impact via a crafted file, as demonstrated by mishandling of num_channels. https://sourceforge.net/p/lame/bugs/458/
I opened a bug as there's a new upstream release, that resolves some of the vulnerabilities: https://bugzilla.redhat.com/show_bug.cgi?id=1505107
From my point of view, 3.100 fixes all of these CVEs except CVE-2017-15019. Is that correct?
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.