Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libopus: 1.1.3 -> 1.1.4 #25973

Merged
merged 1 commit into from May 22, 2017
Merged

libopus: 1.1.3 -> 1.1.4 #25973

merged 1 commit into from May 22, 2017
+2 −9

Conversation

ghost
Copy link

@ghost ghost commented May 21, 2017

Motivation for this change

http://opus-codec.org/release/stable/2017/01/20/libopus-1_1_4.html

This Opus 1.1.4 release fixes a single bug. A specially-crafted Opus packet could cause an integer wrap-around in the SILK LSF stabilization code. This would cause an out-of-bounds read 256 bytes before a constant table. In most circumstances, the consequences are harmless and the result is simply noise in the audio.

This was reported as CVE-2017-0381. Contrary to that report, our own analysis shows that no remote code execution is possible. However, we are making this release as a precaution.

Things done
  • Tested using sandboxing
    (nix.useSandbox on NixOS,
    or option build-use-sandbox in nix.conf
    on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • Linux
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

@GeNTooFReaK
libopus: 1.1.3 -> 1.1.4

Unverified

This user has not yet uploaded their public signing key.
GPG key ID: A863DD530759FC81
Learn about vigilant mode
88af502
@mention-bot
Copy link

@GeNTooFReaK, thanks for your PR! By analyzing the history of the files in this pull request, we identified @viric, @vcunat and @fpletz to be potential reviewers.

@Mic92 Mic92 added the 1.severity: security Issues which raise a security issue, or PRs that fix one label May 21, 2017
@fpletz
Copy link
Member

fpletz commented May 22, 2017

Tested and successfully built some packages depending on libopus. Thanks!

@fpletz fpletz merged commit 933ab0c into NixOS:master May 22, 2017
fpletz pushed a commit that referenced this pull request May 22, 2017
@GeNTooFReaK @fpletz
libopus: 1.1.3 -> 1.1.4

Verified

This commit was signed with the committer’s verified signature.
fpletz Franz Pletz
GPG key ID: 846FDED7792617B4
Verified
Learn about vigilant mode
50fdb3a 
(cherry picked from commit 88af502)

Security release. See #25973.

Fixes CVE-2017-0381.
@ghost ghost deleted the feature/libopus-1.1.4 branch May 22, 2017 18:01
@vcunat
Copy link
Member

vcunat commented May 23, 2017

Well, that CVE was patched, so this PR seems basically a no-op...

@vcunat vcunat removed the 1.severity: security Issues which raise a security issue, or PRs that fix one label May 23, 2017
adrianpk added a commit to adrianpk/nixpkgs that referenced this pull request May 31, 2024
@adrianpk
libopus: 1.1.3 -> 1.1.4
1d75ea0 
(cherry picked from commit 88af502)

Security release. See NixOS#25973.

Fixes CVE-2017-0381.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@mention-bot @fpletz @vcunat @Mic92 @GeNTooFReaK