openSUSE Security Update: Security update for libid3tag ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:0735-1 Rating: moderate References: #1081959 #1081961 #1081962 #387731 Cross-References: CVE-2004-2779 CVE-2008-2109 CVE-2017-11550 CVE-2017-11551 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for libid3tag fixes the following issues: - CVE-2004-2779 CVE-2017-11551: Fixed id3_utf16_deserialize() in utf16.c, which previously misparsed ID3v2 tags encoded in UTF-16 with an odd number of bytes, triggering an endless loop allocating memory until OOM leading to DoS. (bsc#1081959 bsc#1081961) - CVE-2017-11550 CVE-2008-2109: Fixed the handling of unknown encodings when parsing ID3 tags. (bsc#1081962 bsc#387731) This update was imported from the SUSE:SLE-12:Update update project. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-277=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.3 (i586 x86_64): libid3tag-debugsource-0.15.1b-188.3.1 libid3tag-devel-0.15.1b-188.3.1 libid3tag0-0.15.1b-188.3.1 libid3tag0-debuginfo-0.15.1b-188.3.1 - openSUSE Leap 42.3 (x86_64): libid3tag0-32bit-0.15.1b-188.3.1 libid3tag0-debuginfo-32bit-0.15.1b-188.3.1 References: https://www.suse.com/security/cve/CVE-2004-2779.html https://www.suse.com/security/cve/CVE-2008-2109.html https://www.suse.com/security/cve/CVE-2017-11550.html https://www.suse.com/security/cve/CVE-2017-11551.html https://bugzilla.suse.com/1081959 https://bugzilla.suse.com/1081961 https://bugzilla.suse.com/1081962 https://bugzilla.suse.com/387731