Advisories » MGASA-2018-0152

Updated TiMidity++ packages fix security vulnerabilities

Publication date: 28 Feb 2018
Modification date: 28 Feb 2018
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-11546 , CVE-2017-11547

Description

The insert_note_steps function in readmidi.c in TiMidity++ 2.14.0 allows
remote attackers to cause a denial of service (divide-by-zero error and
application crash) via a crafted mid file. NOTE: a crash might be
relevant when using the --background option (CVE-2017-11546).

The resample_gauss function in resample.c in TiMidity++ 2.14.0 allows
remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted mid file. NOTE: a crash might be relevant when
using the --background option. NOTE: the TiMidity++ README.alsaseq
documentation suggests a setuid-root installation (CVE-2017-11547).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=22651
• https://lists.opensuse.org/opensuse-updates/2018-02/msg00099.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11546
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11547

SRPMS

5/core

• TiMidity++-2.14.0-6.1.mga5

6/core

• TiMidity++-2.14.0-9.1.mga6